Common use of Data Security and Integrity Clause in Contracts

Data Security and Integrity. 6.1. All HRTec facilities used to store and process [Customer/Agency] and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTec’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. 6.2. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Cloud Computing Services to the [Customer/Agency] in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in Exhibit , which is incorporated herein by reference. 6.3. Without limiting the foregoing, HRTec warrants that all [Customer/Agency] Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256-bit level encryption 6.4. HRTec shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. 6.5. HRTec will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the [Customer/Agency] as legitimate, as specified in Exhibit . 6.6. Prior to the Effective Date of this Agreement, HRTec will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) audit of Supplier’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A vulnerability scan, performed by a HRTec and [Customer/Agency]-approved Third Party scanner, of HRTec’s systems and facilities that are used in any way to deliver Cloud Computing Services under this Agreement (d) A formal penetration test, performed by the process and qualified personnel approved by HRTec and [Customer/Agency], of HRTec’s systems and facilities that are used in any way to deliver Cloud Computing Services under this Agreement. 6.7. HRTec will provide the [Customer/Agency] the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of HRTec’s receipt of such results. 6.8. Based on the results of the above audits, certifications, scans and tests, HRTec will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement, and provide the [Customer/Agency] with written evidence of remediation. 6.9. The [Customer/Agency] may require, at its expense, that HRTec perform additional audits and tests, the results of which will be provided to the [Customer/Agency] within seven (7) business days of Supplier’s receipt of such results. 6.10. HRTec shall protect the [Customer/Agency] and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the [Customer/Agency] the results of the above audits, along with Supplier’s plan for addressing or resolving any shortcomings identified by such audits, within seven (7) business days of HRTec’s receipt of such results

Data Security and Integrity. 6.1. 6.1 All HRTec facilities used to store and process [Customer/Agency] University and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTecSupplier’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. 6.2. HRTec 6.2 Supplier shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Cloud Computing Services to the [Customer/Agency] University in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in Exhibit , which is incorporated herein by reference. 6.3. 6.3 Without limiting the foregoing, HRTec Supplier warrants that all [Customer/Agency] University Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256128-bit level encryption. 6.4. HRTec 6.4 Supplier shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. 6.5. HRTec 6.5 Supplier will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the [Customer/Agency] University as legitimate, as specified in Exhibit . 6.6. 6.6 Prior to the Effective Date of this Agreement, HRTec Supplier will at its expense conduct or have conducted the following, and thereafter, HRTec Supplier will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) SSAE 16/SOC 2 audit of Supplier’s security policies, procedures and controls; (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification[ENTER “NIST FIPS 200 AND SP 800-53”, “ISO 27001/27002”, OR OTHER ACCEPTABLE STANDARD CLOUD COMPUTING SERVICES CERTIFICATION HERE]. (c) A vulnerability scan, performed by a HRTec and [Customer/Agency]-approved University-approved Third Party scanner, of HRTecSupplier’s systems and facilities that are used in any way to deliver Cloud Computing Services under this Agreement; (d) A formal penetration test, performed by the a process and qualified personnel approved by HRTec and [Customer/Agency]University, of HRTecSupplier’s systems and facilities that are used in any way to deliver Cloud Computing Services under this Agreement. 6.7. HRTec 6.7 Supplier will provide the [Customer/Agency] University the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of HRTecSupplier’s receipt of such results. 6.8. 6.8 Based on the results of the above audits, certifications, scans and tests, HRTec Supplier will, within thirty (30) calendar days of receipt of such results, promptly modify its security measures in order to meet its obligations under this Agreement, and provide the [Customer/Agency] University with written evidence of remediation. 6.9. The [Customer/Agency] 6.9 University may require, at its expense, that HRTec Supplier perform additional audits and tests, the results of which will be provided to the [Customer/Agency] University within seven (7) business days of Supplier’s receipt of such results. 6.10. HRTec 6.10 Supplier shall protect the [Customer/Agency] University and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Third Party Data integrity audits. HRTec Supplier will provide the [Customer/Agency] University the results of the above audits, along with Supplier’s plan for addressing or resolving any shortcomings identified by such audits, within seven (7) business days of HRTecSupplier’s receipt of such results.

Data Security and Integrity. 6.1. [under review by IT security personnel] a. All HRTec facilities used to store and process [Customer/Agency] Customer and End User Data data will implement and maintain employ commercial best practices, including appropriate administrative, physical, technicaland technical safeguards, and procedural safeguards and best practices at a level sufficient to secure such Data data from unauthorized access, destructiondisclosure, alteration, and use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTecVendor’s own Data data of a similar type, and in no event less than reasonable in view of the type and nature of the Data data involved. 6.2. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the Cloud Computing Services to the [Customer/Agency] in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in Exhibit , which is incorporated herein by reference. 6.3. Without limiting the foregoing, HRTec Vendor warrants that all [Customer/Agency] Customer Data and End User Data will be encrypted in transmission (including via web interface) and in storage at no less than 128‐bit level encryption [or cite NIST, ISO, or FIPS standards], and that Vendor will comply with all other technical specifications of Customer provided in Exhibit ___, which is incorporated herein by reference. [Tech specs are where any other NIST etc. standards or other specific standards a level equivalent to or stronger than 256-bit level encryptionschool wants, e.g. HIPAA security standards, would go] 6.4. HRTec shall at all times b. Vendor will use industry-standard industry‐standard and up-to-date up‐to‐date security tools, tools and technologies and procedures including, but not limited to anti-virus and anti-malware such as anti‐virus protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. 6.5. HRTec c. [for outsourced email services] Vendor will configure the Services to filter spam while permitting communications from Third Party third‐party Internet Protocol addresses identified by the [Customer/Agency] Customer as legitimate, as specified in Exhibit ___. 6.6. Prior to the Effective Date of this Agreement, HRTec d. Vendor will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) annually: • A Third-Party Assessment Organization (3PAO) SAS 70 audit of SupplierVendor’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A controls resulting in the issuance of a Service Auditor’s Report Type II; • a vulnerability scan, performed by a HRTec and [scanner approved by Customer/Agency]-approved Third Party scanner, of HRTecVendor’s systems and facilities that are used in any way to deliver Cloud Computing Services services under this Agreement (d) A ; and • a formal penetration test, performed by the a process and qualified personnel approved by HRTec and [Customer/Agency], of HRTecVendor’s systems and facilities that are used in any way to deliver Cloud Computing Services services under this Agreement. 6.7. HRTec e. Vendor will provide the [Customer/Agency] the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of HRTec’s receipt of such results. 6.8. Based on Customer upon request the results of the above audits, certifications, scans and tests, HRTec will, within thirty (30) calendar days of receipt of such results, and will promptly modify its security measures as needed based on those results in order to meet its obligations under this Agreement, and provide the [Customer/Agency] with written evidence of remediation. 6.9. The [Customer/Agency] Customer may require, at its expense, that HRTec Vendor to perform additional audits and tests, the results of which will be provided promptly to the [Customer/Agency] within seven (7) business days of Supplier’s receipt of such results. 6.10. HRTec shall protect the [Customer/Agency] and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the [Customer/Agency] the results of the above audits, along with Supplier’s plan for addressing or resolving any shortcomings identified by such audits, within seven (7) business days of HRTec’s receipt of such results

Data Security and Integrity. 6.1. All HRTec facilities used to store and process [Customer/Agency] Participating Entity and End User Data will implement and maintain administrative, physical, technical, and procedural safeguards and best practices at a level sufficient to secure such Data from unauthorized access, destruction, use, modification, or disclosure. Such measures will be no less protective than those used to secure HRTec’s own Data of a similar type, and in no event less than reasonable in view of the type and nature of the Data involved. 6.2. HRTec shall maintain the administrative, physical, technical, and procedural infrastructure associated with the provision of the FedHIVE Cloud Computing Services to the [Customer/Agency] Participating Entity in a manner that is, at all times during the term of this Agreement, at a level equal to or more stringent than those specified in Exhibit the NASPO Master Agreement, and Participating Addendum which is incorporated herein by reference. 6.3. Without limiting the foregoing, HRTec warrants that all [Customer/Agency] Participating Entity Data and End User Data will be encrypted in transmission (including via web interface) and in storage at a level equivalent to or stronger than 256-bit level encryption 6.4. HRTec shall at all times use industry-standard and up-to-date security tools, technologies and procedures including, but not limited to anti-virus and anti-malware protections and intrusion detection and reporting methods [List additional specifically required security mechanisms here as appropriate.] in providing Services under this Agreement. 6.5. HRTec will configure the Services to filter spam while permitting communications from Third Party Internet Protocol addresses identified by the [Customer/Agency] Participating Entity as legitimate, as specified in Exhibit . 6.6. Prior to the Effective Date of this Agreement, HRTec will at its expense conduct or have conducted the following, and thereafter, HRTec will at its expense conduct or have conducted the following at least once per year, and immediately after any actual or reasonably suspected Data Compromise: (a) A Third-Party Assessment Organization (3PAO) audit of Supplier’s security policies, procedures and controls (b) Certification under FedRAMP and/or Cloud Security Alliance Security Trust and Assurance Registry (CSA STAR) attestation and certification (c) A vulnerability scan, performed by a HRTec and [Customer/Agency]-approved FedRAMP approved Third Party scanner, of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement (d) A formal penetration test, performed by the process and qualified personnel approved by HRTec and [Customer/Agency]the Participating Entity, of HRTec’s systems and facilities that are used in any way to deliver FedHIVE Cloud Computing Services under this Agreement. 6.7. HRTec will provide the [Customer/Agency] Participating Entity the reports or other documentation resulting from the above audits, certifications, scans and tests within seven (7) business days of HRTec’s receipt of such results. 6.8tests. Based on the results of the above audits, certifications, scans and tests, HRTec will, within thirty (30) calendar days of receipt of such results, will promptly modify its security measures in order to meet its obligations under this Agreement, Agreement and provide the [Customer/Agency] Participating Entity with written evidence of remediation. 6.9. The [Customer/Agency] Participating Entity may require, at its expense, that HRTec perform additional audits and tests, the results of which will be provided to the [Customer/Agency] Participating Entity within seven (7) business days of Supplier’s receipt of such results. 6.10. HRTec shall protect the [Customer/Agency] Participating Entity and End User Data against deterioration or degradation of Data quality and authenticity, including, but not limited to annual Third-Party Data integrity audits. HRTec will provide the [Customer/Agency] Participating Entity the results of the above audits, along with Supplier’s a plan for addressing or resolving any shortcomings identified by such audits, within seven (7) business days of HRTec’s receipt of such results.