Common use of Safeguarding of DIR Data Clause in Contracts

Safeguarding of DIR Data. (i) Service Provider shall maintain a comprehensive data security program, which shall include reasonable and appropriate technical, organizational and security measures against the destruction, loss, unauthorized access or alteration of DIR Data in the possession of Service Provider, and which shall be (A) no less rigorous than those maintained (or required to be maintained) by DIR or the relevant DIR Customer as of the Commencement Date (or required or implemented by DIR or the relevant DIR Customer in the future to the extent deemed necessary by DIR or such DIR Customer and communicated to Service Provider in accordance with Section 6.3(a)), (B) no less rigorous than those maintained by Service Provider for its own information of a similar nature (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), (C) no less rigorous than accepted security standards in the industry (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), and (D) (without limiting the Parties' obligations under Section 15.11) compliant with all applicable DIR Rules and DIR Standards, including the requirements of DIR's and the relevant DIR Customer's then- current privacy, security and records retention policies (such as Internal Revenue Service guidelines contained within IRS Publication 1075 (found at xxxx://xxx.xxx.xxx/pub/irs- pdf/p1075.pdf) and the rules pertaining to information technology security standards found at 1 Texas Administrative Code, Chapter 202). Service Provider acknowledges and agrees that certain DIR Customers are legally prohibited from disclosing or allowing access to certain DIR Data, including disclosures to and access by DIR, other DIR Customers and Service Provider. The content and implementation of such data security program and associated technical, organizational and security measures shall be fully documented by Service Provider in the Service Management Manual, including the process DIR Customers shall follow to identify DIR Data they are legally prohibited from disclosing and the confidentiality requirements of DIR Customers. Service Provider shall permit DIR Auditors to review such documentation and/or to inspect Service Provider's compliance with these provisions in accordance with Section 9.9. DIR acknowledges that elements of Service Provider's data security program involve customized services offerings regarding the specific means and levels of security protection selected by a customer (regarding, for example, desired levels of host and network intrusion detection services, methods for monitoring and limiting access to data, extent of desired encryption, etc.), and DIR agrees that the specific services selected by DIR pursuant to this Agreement establish the contract requirements with respect to those activities, subject to Technology Evolution and other applicable provisions of this Agreement. From time to time, but not less frequently than twice per Contract Year, Service Provider shall proactively provide technical information regarding security best practices in the industry, and upon DIR's approval Service Provider shall, subject to Section 11.5 (but without limiting Service Provider's obligations respecting Technology Evolution) implement any changes to the above security requirements through Change Control.

Safeguarding of DIR Data. (i) Service Provider shall maintain a comprehensive data security program, which shall include reasonable and appropriate technical, organizational organizational, and security measures against the destruction, loss, unauthorized access access, or alteration of DIR Data in the possession of Service Provider, and which shall be (A) no less rigorous than those maintained (or required to be maintained) by DIR or the relevant DIR Customer as of the Commencement Date (or required or implemented by DIR or the relevant DIR Customer in the future to the extent deemed necessary by DIR or such DIR Customer and communicated to Service Provider in accordance with Section 6.3(a)), ; (B) no less rigorous than those maintained by Service Provider for its own information of a similar nature (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), ; (C) no less rigorous than accepted security standards in the industry (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), ; and (D) (without limiting the Parties' obligations under Section 15.11) compliant with all applicable DIR Rules and DIR Standards, including the requirements of DIR's and the relevant DIR Customer's then- then-current privacy, security security, and records retention policies (such as Internal Revenue Service guidelines contained within IRS Publication 1075 (found at xxxx://xxx.xxx.xxx/pub/irs- pdf/p1075.pdf) and the p1075.pdf),the rules pertaining to information technology security standards found at 1 Texas Administrative Code, Chapter 202) and the auditing standards within the Control Objectives for Information and Related Technology (COBIT)). Service Provider acknowledges and agrees that certain DIR Customers are legally prohibited from disclosing or allowing access to certain DIR Data, including disclosures to and access by DIR, other DIR Customers Customers, and Service Provider. The content and implementation of such data security program and associated technical, organizational organizational, and security measures shall be fully documented by Service Provider in the Service Management Manual, including the process DIR Customers shall follow to identify DIR Data they are legally prohibited from disclosing and the confidentiality requirements of DIR Customers. Service Provider shall permit DIR Auditors to review such documentation and/or to inspect Service Provider's compliance with these provisions in accordance with Section 9.9. DIR acknowledges that elements of Service Provider's data security program involve customized services offerings regarding the specific means and levels of security protection selected by a customer (regarding, for example, desired levels of host and network intrusion detection services, methods for monitoring monitoring, and limiting access to data, extent of desired encryption, etc.), and DIR agrees that the specific services selected by DIR pursuant to this Agreement establish the contract requirements with respect to those activities, subject to Technology Evolution and other applicable provisions of this Agreement. From time to time, but not less frequently than twice per Contract Year, Service Provider shall proactively provide technical information regarding security best practices in the industry, and upon DIR's approval Service Provider shall, subject to Section 11.5 (but without limiting Service Provider's obligations respecting Technology Evolution) implement any changes to the above security requirements through Change Control.

Safeguarding of DIR Data. (i) Service Provider shall maintain a comprehensive data security program, which shall include reasonable and appropriate technical, organizational and security measures against the destruction, loss, unauthorized access or alteration of DIR Data in the possession of Service Provider, and which shall be (A) no less rigorous than those maintained (or required to be maintained) by DIR or the relevant DIR Customer as of the Commencement Date (or required or implemented by DIR or the relevant DIR Customer in the future to the extent deemed necessary by DIR or such DIR Customer and communicated to Service Provider in accordance with Section 6.3(a)), (B) no less rigorous than those maintained by Service Provider for its own information of a similar nature (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), (C) no less rigorous than accepted security standards in the industry (subject, however, to Section 11.5 and implementation through Change Control upon approval by DIR, as applicable, but without limiting Service Provider's obligations respecting Technology Evolution), (D) compliant with the rules pertaining to information technology security standards found at 1 Texas Administrative Code, Chapter 202; and (DE) (without limiting the Parties' obligations under Section 15.11) compliant with all applicable DIR Rules and DIR Standards, including the requirements of DIR's and the relevant DIR Customer's then- then-current privacy, security and records retention policies (such as Internal Revenue Service guidelines contained within IRS Publication 1075 (found at xxxx://xxx.xxx.xxx/pub/irs- pdf/p1075.pdfxxxx://xxx.xxx.xxx/pub/irs-pdf/p1075.pdf) and the rules pertaining to information technology security auditing standards found at 1 Texas Administrative Code, Chapter 202within the Control Objectives for Information and Related Technology (COBIT)). Service Provider acknowledges and agrees that certain DIR Customers are legally prohibited from disclosing or allowing access to certain DIR Data, including disclosures to and access by DIR, other DIR Customers and Service Provider. The content and implementation of such data security program and associated technical, organizational and security measures shall be fully documented by Service Provider in the Service Management Manual, including the process DIR Customers shall follow to identify DIR Data they are legally prohibited from disclosing and the confidentiality requirements of DIR Customers. Service Provider shall permit DIR Auditors to review such documentation and/or to inspect Service Provider's compliance with these provisions in accordance with Section 9.9. DIR acknowledges that elements of Service Provider's data security program involve customized services offerings regarding the specific means and levels of security protection selected by a customer (regarding, for example, desired levels of host and network intrusion detection services, methods for monitoring and limiting access to data, extent of desired encryption, etc.), and DIR agrees that the specific services selected by DIR pursuant to this Agreement establish the contract requirements with respect to those activities, subject to Technology Evolution and other applicable provisions of this Agreement. From time to time, but not less frequently than twice per Contract Year, Service Provider shall proactively provide technical information regarding security best practices in the industry, and upon DIR's approval Service Provider shall, subject to Section 11.5 (but without limiting Service Provider's obligations respecting Technology Evolution) implement any changes to the above security requirements through Change Control.