Common use of Data Access Controls Clause in Contracts

Data Access Controls. Vendor shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. Cybersecurity controls: Vendor has implemented a cyber security defense strategy in several layers as a protection against unauthorized access. Vendor will utilize one or more of the following if reasonable and appropriate: a. Firewalls; b. Web Application Firewall (WAF); c. Security Monitoring Centre; d. Antivirus software; e. Backup and recovery; f. Penetration testing; g. Intrusion detection; Transmission Controls Vendor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. Data in-transit will be encrypted using industry standard algorithms and certificates e.g HTTPS encryption, secure communication tunnels (VPN), etc. Exceptions may include data in-transit between components of the Vendor solution within a suitably secure environment. E.g Between an application server and database server in a secure data center. Data at rest is protected through encryption of stored data using industry standard solutions e.g. BitLocker. Input Controls Vendor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed. Vendor shall take reasonable measures to ensure that a. the personal data source is under the control of customer; and b. personal data integrated into Vendor’s systems is managed by a secured\encrypted transfer mechanism from the customer. Data Backup Vendor shall ensure that back-ups are taken on a regular basis, are secured, and encrypted when storing personal data to protect against accidental destruction or loss when hosted by outsourced cloud infrastructure providers. Vendor will on a periodic basis ensure that it is possible to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident. Policies Vendor senior management assess and approve policies, including those related to data privacy, security and acceptable use. Policies are documented and published among all relevant personnel. Employees and contracted third parties are required to comply with policies relevant to their scope of work. New employees receive training on confidentiality obligations, information security, compliance, and data protection. Employees receive regular training updates, which cover Information Security policies and expectations. Where required, policies are supported by associated procedures, standards, and guidelines. Information Security policies are updated, as needed, to reflect changes to business objectives or risk. Senior management performs an annual review of all Information Security policies. Information Security policies are stored, maintained, updated, and published in a centralized, online location. Vendor’s Information Security Management System contains sections on password requirements, Internet usage, computer security, confidentiality, customer data protection, and Company data protection.