Common use of SOF Production Data Access Clause in Contracts

SOF Production Data Access. The Service Provider and its Subcontractors shall require that all SOF Production Data will at all times reside in, and be maintained in and from, the State of Florida. Neither the Service Provider nor any Subcontractor will access SOF Production Data from outside of the State of Florida, nor will they send any copies of SOF Production Data outside the State of Florida without the prior written consent of the Department. Notwithstanding the foregoing and any other provision in the Contract to the contrary, the Parties agree that: (a) The Service Provider and its Subcontractors may maintain the SOF Production Data outside the State of Florida but within the continental U.S., in which event the Service Provider shall otherwise comply with all other aspects of the Security Plan except for the location of the work. (b) The Service Provider and its Subcontractors may perform Services and/or access SOF Production Data from outside of the State of Florida but within the continental U.S. for purposes of (i) storing SOF Production Data, (ii) implementing or testing the disaster recovery plan, (iii) providing desktop support services, or (iv) providing/receiving occasional and limited consulting assistance to/from the Service Provider affiliate. For purposes of this Section 6.3, a Service Provider affiliate means any entity whose parent company or ultimate parent company is NorthgateArinso, LLC. (but not a Subcontractor). (c) Members of the LSAG may perform Services and/or access SOF Production Data from outside the Service Provider’s Florida HR Service Center(s) but within the continental U.S. Such persons may also, on a limited basis, access SOF Production Data from outside of the continental U.S. in order to provide emergency production support services so long as the Department consents to such access in advance or is advised within one Business Day of such access. Persons in the LSAG must be pre-approved by the Department, which approval shall not be unreasonably withheld. The Department shall promptly review each request and either state its objections or request more information. The Service Provider shall advise the Department’s Contract Manager of any changes in the LSAG and provide the Department with an updated LSAG Master Listing of the group on a quarterly basis as described in Section 3.3 (“Deliverables”). (d) The Service Provider may use SAP, Oracle and other third party software or hardware vendors to provide certain IT services from outside the State of Florida and outside the continental U.S. to support those who provide Services under this Contract. In the course of providing such emergency services, these vendors may access SOF Production Data but shall not have direct access to the HRIS. The Service Provider shall use reasonable efforts to obtain the Department’s written consent prior to giving such access to these vendors, and shall advise the Department within one Business Day of such access. (e) Employees of the Service Provider (other than HR Specialists) may use their business laptop computers to access SOF Production Data by reading, replying, forwarding, having or using electronic mail, or otherwise utilizing the electronic mail system, on a temporary, limited basis when traveling outside the State of Florida and/or outside the continental U.S. so long as (i) the employee has a legitimate business need to access the data, (ii) the restrictions in Sections 6.5 (“Security Breaches and Incidents”), 6.6 (“Encryption Requirements”) and 6.8 (“Confidentiality Obligations”) are met, (iii) the amount of any SOF Production Data that is customarily considered to be sensitive or confidential (e.g., social security number) being accessed is minimal, and (iv) there is no practical risk of a Security Breach. For purposes of this paragraph, an employee of the Service Provider shall be deemed to include U.S. based management employees of the Service Provider (or its affiliates), any U.S. based IT employee of the Service Provider (or its affiliates) who is essential in the provision of Services, and members of the LSAG. (f) Employees of the Service Provider, its affiliates and any third party software or hardware vendor (but not a Subcontractor) may provide Ancillary Support Services to Service Provider or its affiliates. These employees may access SOF Production Data in the course of providing such Services so long as the employee has a legitimate business need to access the data and the following conditions are met: (i) the employees do not have direct access to the HRIS, (ii) the access occurs within the continental U.S. to the extent practicable, (iii) there is no practical risk of a Security Breach, (iv) the restrictions in Sections 6.5 (“Security Breaches and Incidents”), 6.6 (“Encryption Requirements”) and 6.8 (“Confidentiality Obligations”) are met, and (v) the employees meet the standard background screening requirements for their employer. The Parties acknowledge that this Section does not require any new or additional background screening processes. (g) The Department understands that some of the Ancillary Support Services, particularly in the area of IT and engineering services, may involve business models that call upon available resources regardless of geographic location. The Department acknowledges the impracticality of changing these business models for one customer and recognizes that the Service Provider may continue to perform these Ancillary Support Services from outside the continental U.S. The Department expects the Service Provider to notify the Department in advance if the Ancillary Support Services are provided outside of the continental U.S. (h) In-house legal staff and internal audit staff, outside law firms and independent auditing firms retained by the Service Provider (or its affiliates or Subcontractors) may have limited access to SOF Production Data within the continental U.S. as is customary and reasonable within the scope of their professional engagement. These persons shall not be given direct access to the HRIS. (i) The Service Provider or its affiliates may store emails containing SOF Production Data on servers located in secure Service Provider or affiliate work locations outside the State of Florida but within the continental U.S. for employees who are based outside the State of Florida, or for employees who are based inside the State of Florida but whose emails are regularly stored on servers located outside of the State of Florida but within the continental U.S. (j) The FSA / HSA and talent management Subcontractors may maintain and access SOF Production Data from outside the State of Florida but within the continental U.S. (k) The Department understands that some technical support services may involve a business model that calls upon available resources regardless of geographic location. The Department acknowledges the impracticality of changing this business model for SuccessFactors and recognizes and consents that personnel of Authorized SAP Entities, as defined below, may continue to perform these services and their related necessary activities from outside the continental U.S. SuccessFactors, and SAP AG, a wholly owned operating subsidiary of SAP SE, function as business unit within SAP. From time to time, SAP SE and / or its affiliates may perform certain services (such as technical support) on behalf of SuccessFactors (the forgoing, together with SuccessFactors, are collectively, the “Authorized SAP Entities”). In such event, provisions set forth below applicable to SuccessFactors, shall also apply to the Authorized SAP Entities. In the course of providing such services, personnel of an Authorized SAP Entity may have access to the HRIS and SOF Production Data provided: (i) personnel have a legitimate business need to access the SOF Production Data; (ii) the Authorized SAP Entity applies its standard policy for background checks to such personnel to the extent allowable under applicable local regulations including the home country of such personnel; (iii) the amount of any SOF Production Data that is customarily considered sensitive or confidential (e.g., Social Security Number) being accessed is only that which is necessary for the personnel to meet the legitimate business need, (iv) the Authorized SAP Entity applies its then-current standard security policy to minimize risk of breach; and (v) the Authorized SAP Entity follows its then-current “Support Access: How to Grant Support Access to SuccessFactors Support Staff” document, or the equivalent document of the Authorized SAP Entity. If an Authorized SAP Entity is found in violation of any of the foregoing conditions (i) – (v), the Department shall notify Service Provider of violation and allow not less than 10 Business Days, or more than 45 calendar days, for Service Provider to effectuate a cure. (l) Any other requests to have SOF Production Data maintained or accessed from outside the State of Florida shall require the Department’s prior written consent.

SOF Production Data Access. The Service Provider and its Subcontractors shall require that all SOF Production Data will at all times reside in, and be maintained in and from, the State of Florida. Neither the Service Provider nor any Subcontractor will access SOF Production Data from outside of the State of Florida, nor will they send any copies of SOF Production Data outside the State of Florida without the prior written consent of the Department. Notwithstanding the foregoing and any other provision in the Contract to the contrary, the Parties agree that: (a) The Service Provider and its Subcontractors may maintain the SOF Production Data outside the State of Florida but within the continental U.S.U.S. for purposes of disaster recovery reasons, in which event the Service Provider shall otherwise comply with all other aspects of the Security Plan except for the location of the work. (b) The Service Provider and its Subcontractors may perform Services and/or access SOF Production Data from outside of the State of Florida but within the continental U.S. for purposes of (i) storing SOF Production Data, (ii) implementing or testing the disaster recovery plan, (iiiii) providing desktop support services, or (iviii) providing/receiving occasional and limited consulting assistance to/from the Service Provider affiliate. For purposes of this Section 6.3, a Service Provider affiliate means any entity whose parent company or ultimate parent company is NorthgateArinso, LLC. Inc. (but not a Subcontractor). (c) Members of the LSAG may perform Services and/or access SOF Production Data from outside the Service Provider’s Florida HR Service Center(s) but within the continental U.S. Such persons may also, on a limited basis, access SOF Production Data from outside of the continental U.S. in order to provide emergency production support services so long as the Department consents to such access in advance or is advised within one Business Day of such access. Persons in the LSAG must be pre-approved by the Department, which approval shall not be unreasonably withheld. The Department shall promptly review each request and either state its objections or request more information. The Service Provider shall advise the Department’s Contract Manager of any changes in the LSAG and provide the Department with an updated LSAG Master Listing of the group on a quarterly basis as described in Section 3.3 (“Deliverables”). (d) The Service Provider may use SAP, Oracle and other third party software or hardware vendors to provide certain IT services from outside the State of Florida and outside the continental U.S. to support those who provide Services under this Contract. In the course of providing such emergency services, these vendors may access SOF Production Data but shall not have direct access to the HRIS. The Service Provider shall use reasonable efforts to obtain the Department’s written consent prior to giving such access to these vendors, and shall advise the Department within one Business Day of such access. (e) Employees of the Service Provider (other than HR Specialists) may use their business laptop computers to access SOF Production Data by reading, replying, forwarding, having or using electronic mail, or otherwise utilizing the electronic mail system, on a temporary, limited basis when traveling outside the State of Florida and/or outside the continental U.S. so long as (i) the employee has a legitimate business need to access the data, (ii) the restrictions in Sections 6.5 (“Security Breaches and Incidents”), 6.6 (“Encryption Requirements”) and 6.8 (“Confidentiality Obligations”) are met, (iii) the amount of any SOF Production Data that is customarily considered to be sensitive or confidential (e.g., social security number) being accessed is minimal, and (iv) there is no practical risk of a Security Breach. For purposes of this paragraph, an employee of the Service Provider shall be deemed to include U.S. based management employees of the Service Provider (or its affiliates), any U.S. based IT employee of the Service Provider (or its affiliates) who is essential in the provision of Services, and members of the LSAG. (f) Employees of the Service Provider, its affiliates and any third party software or hardware vendor (but not a Subcontractor) may provide Ancillary Support Services to Service Provider or its affiliates. These employees may access SOF Production Data in the course of providing such Services so long as the employee has a legitimate business need to access the data and the following conditions are met: (i) the employees do not have direct access to the HRIS, (ii) the access occurs within the continental U.S. to the extent practicable, (iii) there is no practical risk of a Security Breach, (iv) the restrictions in Sections 6.5 (“Security Breaches and Incidents”), 6.6 (“Encryption Requirements”) and 6.8 (“Confidentiality Obligations”) are met, and (v) the employees meet the standard background screening requirements for their employer. The Parties acknowledge that this Section does not require any new or additional background screening processes. (g) The Department understands that some of the Ancillary Support Services, particularly in the area of IT and engineering services, may involve business models that call upon available resources regardless of geographic location. The Department acknowledges the impracticality of changing these business models for one customer and recognizes that the Service Provider may continue to perform these Ancillary Support Services from outside the continental U.S. The Department expects the Service Provider to notify the Department in advance if the Ancillary Support Services are provided outside of the continental U.S. (h) In-house legal staff and internal audit staff, outside law firms and independent auditing firms retained by the Service Provider (or its affiliates or Subcontractors) may have limited access to SOF Production Data within the continental U.S. as is customary and reasonable within the scope of their professional engagement. These persons shall not be given direct access to the HRIS. (i) The Service Provider or its affiliates may store emails containing SOF Production Data on servers located in secure Service Provider or affiliate work locations outside the State of Florida but within the continental U.S. for employees who are based outside the State of Florida, or for employees who are based inside the State of Florida but whose emails are regularly stored on servers located outside of the State of Florida but within the continental U.S. (j) The FSA / HSA and talent management Subcontractors may maintain and access SOF Production Data from outside the State of Florida but within the continental U.S. (k) The Department understands that some technical support services may involve a business model that calls upon available resources regardless of geographic location. The Department acknowledges the impracticality of changing this business model for SuccessFactors and recognizes and consents that personnel of Authorized SAP Entities, as defined below, may continue to perform these services and their related necessary activities from outside the continental U.S. SuccessFactors, and SAP AG, a wholly owned operating subsidiary of SAP SE, function as business unit within SAP. From time to time, SAP SE and / or its affiliates may perform certain services (such as technical support) on behalf of SuccessFactors (the forgoing, together with SuccessFactors, are collectively, the “Authorized SAP Entities”). In such event, provisions set forth below applicable to SuccessFactors, shall also apply to the Authorized SAP Entities. In the course of providing such services, personnel of an Authorized SAP Entity may have access to the HRIS and SOF Production Data provided: (i) personnel have a legitimate business need to access the SOF Production Data; (ii) the Authorized SAP Entity applies its standard policy for background checks to such personnel to the extent allowable under applicable local regulations including the home country of such personnel; (iii) the amount of any SOF Production Data that is customarily considered sensitive or confidential (e.g., Social Security Number) being accessed is only that which is necessary for the personnel to meet the legitimate business need, (iv) the Authorized SAP Entity applies its then-current standard security policy to minimize risk of breach; and (v) the Authorized SAP Entity follows its then-current “Support Access: How to Grant Support Access to SuccessFactors Support Staff” document, or the equivalent document of the Authorized SAP Entity. If an Authorized SAP Entity is found in violation of any of the foregoing conditions (i) – (v), the Department shall notify Service Provider of violation and allow not less than 10 Business Days, or more than 45 calendar days, for Service Provider to effectuate a cure. (l) Any other requests to have SOF Production Data maintained or accessed from outside the State of Florida shall require the Department’s prior written consent.