Common use of Confidentiality and Data Security Clause in Contracts

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore: a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipients, affiliates, officers, agents, and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees and Recipients are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, or Recipients, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, and all costs associated with the notice, or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore: a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipients, affiliates, officers, agents, and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees and Recipients are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, or Recipients, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, and all costs associated with the notice, or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- advertising-related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore: a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, operation or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State state or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, applications and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipientscontractors, subcontractors, subgrantees, affiliates, officers, agents, agents and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees employees, contractors, subcontractors and Recipients subgrantees are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State state or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, produced or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, contractors and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, contractors, subcontractors or Recipientssubgrantees, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State state or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, any and all costs associated with the notice, notice or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore:: All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, operation or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) PII and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State state or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, applications and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipientscontractors, subcontractors, subgrantees, affiliates, officers, agents, agents and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees employees, contractors, subcontractors and Recipients subgrantees are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions.to h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee▇▇▇▇▇▇▇’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State state or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, produced or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, contractors and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, contractors, subcontractors or Recipientssubgrantees, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State state or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, any and all costs associated with the notice, notice or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore:: All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, operation or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) PII and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State state or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, applications and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process.whatsoever e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipientscontractors, subcontractors, subgrantees, affiliates, officers, agents, agents and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees employees, contractors, subcontractors and Recipients subgrantees are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State state or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, produced or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, contractors and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, contractors, subcontractors or Recipientssubgrantees, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State state or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, any and all costs associated with the notice, notice or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, and Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore:: All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. a. All information or data gathered pursuant to this Grant shall be held confidential and released only to CARB or other entities as CARB may specify in writing. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, operation or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) PII and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State state or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, applications and data which comes into its possession under this Grant Agreement in perpetuity, and shall not release or publish any such information, records, data, or application records without first obtaining in each instance the advance written approval of an authorized representative of CARB. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipientscontractors, subcontractors, subgrantees, affiliates, officers, agents, agents and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement. f. The Grantee must ensure that the Grantee’s employees employees, contractors, subcontractors and Recipients subgrantees are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII or documentation for any purpose other than for the sole purpose of performing Grantee▇▇▇▇▇▇▇’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State state or federal officials where required by applicable laws. o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, produced or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, contractors and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of Grantee or any of its employees, agents, officers, contractors, subcontractors or Recipientssubgrantees, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State state or federal officials. If applicable law requires, or if CARB determines, that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, any and all costs associated with the notice, notice or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests. t. The Grantee shall ensure that confidential, sensitive and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.

Confidentiality and Data Security. Except as required by applicable law, or as otherwise expressly authorized by this Grant Agreement, the Grantee shall not disclose to any third party any record which CARB has designated as confidential. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act (California Government Code Section 6250 et seq.) or other law, the Grantee shall give CARB at least 10 calendar days written notice prior to any planned disclosure, disclosure and the Grantee shall not object to CARB seeking a court order preventing disclosure. It is expressly understood and agreed that information the Grantee collects on behalf of the Grantor or from a third party in performing its obligations under this Grant Agreement may be deemed confidential by the Grantor. Therefore: a. All information or data gathered pursuant to this Grant shall be held confidential accessible only to the Grantee’s employees, agents, or contractors as needed to perform the Grantee’s obligations under this Grant Agreement and released only to CARB or other entities as CARB may specify in writingwriting unless such disclosure is required by law or legal process. b. The Grantee certifies that it has appropriate systems and controls in place to ensure that Grant funds will not be used in the performance of this Grant Agreement for the acquisition, operation, or maintenance of computer software in violation of copyright or other intellectual property laws. c. Information or data, including but not limited to personally identifiable information (PII) and all application records and supporting documentation that personally identifies or describes an individual or individuals is confidential in accordance with California Civil Code sections 1798, et seq. and other relevant State state or federal statutes and regulations. The Grantee shall safeguard all such information, records, applications, and data which comes into its possession under this Grant Agreement in perpetuity, perpetuity and shall not release or publish any such information, records, data, or application records information without first obtaining in each instance the advance written approval of an authorized representative of CARB. The Grantee shall dispose of such information in accordance with the Grantee’s data retention policy and the requirements in this Grant Agreement. d. The Grantee must observe complete confidentiality with respect to such information or data collected pursuant to this Grant, including without limitation, agreeing not to disclose or otherwise permit access to such information or data by any person or entity in any manner whatsoever unless such disclosure is required by law or legal process. e. The Subject to paragraph 1 above, the Grantee must acknowledge the confidential nature of such information and ensure by agreement or otherwise that the Grantee, its employees, Recipientscontractors, subcontractors, subgrantees, affiliates, officers, agents, and assigns are prohibited from copying or revealing, for any purpose whatsoever, the contents of such information or any part thereof, or from taking any action otherwise prohibited under any provision or section of this Grant Agreement.. Sample f. The Grantee must ensure that the Grantee’s employees employees, contractors, subcontractors and Recipients subgrantees are informed of the confidential nature of any shared information or data and ensure by written agreement that such individuals and entities are prohibited from (i) copying, revealing, or utilizing such information or data (or any parts thereof) for any purpose other than fulfillment of this Grant, Grant and (ii) from taking any action otherwise prohibited under any provision or section of this Grant Agreement. g. The Grantee shall limit access to information and data gathered pursuant to this Grant only to necessary employees employees, agents, and contractors to perform their job duties in fulfillment of the Grant Agreement provisions. h. The Grantee must not use such information or any part thereof in the performance of services to others or for the benefit of others in any form whatsoever whether gratuitously or for valuable consideration. i. The Grantee must notify the Grantor promptly and in writing of the circumstances surrounding any possession, use or knowledge of such information or any part thereof, thereof by any person other than those authorized by this document. j. The Grantee must adhere to all CARB confidentiality, disclosure, and privacy policies. k. The Grantee must treat all information, deliverables, and work products developed or collected pursuant to this Grant as confidential. All information, deliverables, and work products cannot be disclosed in any form to any third party (including any Recipients) except for CARB and the Subgrantees designated in Exhibit B, Attachment IV - Key Project Personnel, of this Agreement without first obtaining the written consent of an authorized representative of CARB or except as otherwise authorized by this Grant Agreement. l. The Grantee must not use, without CARB written approval, any CARB materials, data, information, PII PII, or documentation for any purpose other than for the sole purpose of performing the Grantee’s duties and obligations under this Grant Agreement. m. At the conclusion of the engagement or upon termination of this Grant Agreement, the Grantee shall surrender all information in any form developed or collected pursuant to this Grant. n. If the Grantee suspects loss or theft, the Grantee must report any lost or stolen information, data, or equipment developed or collected pursuant to this Grant to CARB immediately and to State state or federal officials where required by applicable laws.. Sample o. The Grantee must provide CARB all pass phrases/passwords used for private keys to encrypt data used, produced, or acquired in the course of performing duties under this Grant Agreement. p. The Grantee must sign all non-disclosure and confidentiality agreements as provided by CARB and shall require employees, contractors, and subcontractors to do the same when requested by CARB. q. The Grantee agrees to notify CARB immediately of any security incident involving the information system, servers, data, or any other information developed or collected pursuant to this Grant. The Grantee agrees that CARB has the right to participate in the investigation of a security incident involving its data or conduct its own independent investigation, and that the Grantee shall cooperate fully in such investigations. r. The Grantee agrees that it shall be responsible for all costs incurred by CARB due to a security incident resulting from the acts or omissions of the Grantee or any of its employees, agents, officers, contractors, subcontractors, or Recipientssubgrantees, including any acts or omissions resulting in an unauthorized disclosure, release, access, review, or destruction of data or information; or loss, theft theft, or misuse of information or data developed or gathered pursuant to this Grant. If the Grantee experiences a loss or breach of data, the Grantee shall immediately report the loss or breach to CARB and, where required by applicable law, to State state or federal officials. If applicable law requires, requires or if CARB determines, determines that notice to the individuals whose data has been lost or breached is needed, then the Grantee shall provide all such notification and will bear any, any and all costs associated with the notice, notice or any mitigation selected by CARB. These costs include, but are not limited to, staff time, material costs, postage, media announcements, credit monitoring for impacted individuals, and other identifiable costs associated with the breach or loss of data. s. If the Grantee believes disclosure of a confidential record may be required under the California Public Records Act, the Grantee shall first give CARB at least 10 calendar days advance written notice prior to any planned disclosure so that CARB can seek, solely at CARB’s discretion, an order preventing disclosure from a court of competent jurisdiction. The Grantee agrees that it shall immediately notify and work cooperatively with CARB to respond timely and correctly to any and all public records requests.. Sample t. The Grantee shall ensure that confidential, sensitive sensitive, and/or PII information shall be encrypted in accordance with California State Administrative Manual 5350.1 and California Statewide Information Management Manual 5305-A. u. The Grantee assumes all responsibility and liability for the security and confidentiality of the PII and confidential information under its control. v. Rights to data: Grantee acknowledges, accepts, and agrees that as between Grantee and Grantor, all rights, including all intellectual property rights, in and to PII, data, information, documentation and materials shall remain the exclusive property of the Grantor, and Grantee has a limited, non-exclusive license to access, and use said information as provided to Grantee solely for performing its obligations under the Grant Agreement. Nothing herein shall be construed to confer any license or right to said PII, data, documentations, materials, or information, including user tracking and exception data, by implication, estoppel or otherwise, under copyright or other intellectual property rights, to any third party. Unauthorized use of said information by Grantee or third parties is prohibited. For the purposes of this requirement, the phrase “unauthorized use” means the data mining or processing of data, stored, or transmitted by any Grantee or third party service, for unrelated or commercial purposes, advertising, or advertising- related purposes, or for any other purpose other than security or service delivery analysis that is not explicitly authorized by Grantor. w. Grantee certifies, represents, and warrants that: i. Its data and information security standards, tools, technologies, and procedures are sufficient to protect such information and data; ii. Grantee is in compliance and shall remain in compliance at all times during the Grant Term with the following requirements and obligations: 1. The California Information Practices Act (Civil Code Sections 1798 et seq.); 2. Current NIST special publications 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings shall be made available to the Grantor upon request; 3. Undergo an annual Statement on Standards for Attestation Engagements (SSAE) No. 16 Service Organization Control (SOC) 2 Type II audit. Third party audit results and ▇▇▇▇▇▇▇’s plan to correct any negative findings and implementation progress reports shall be made available to the Grantor upon request; and 4. Privacy provisions of the Federal Privacy Act of 1974; iii. Compliance with industry standards and guidelines applicable to the work performed under the Grant Agreement. Relevant security provisions may include but are not limited to: Health Insurance Portability and Accountability Act of 1996, IRS 1075, Health Information Technology for Economic and Clinical (HITECH) Act, Criminal Justice Information Services (CJIS) Security Policy, Social Security Administration (SSA) Electronic Information Exchange Security Requirements, and the Payment Card Industry (PCI) Data Security Standard (DSS) as well as their associated Cloud Computing Guidelines.