Common use of Data Privacy and Security Clause in Contracts

Data Privacy and Security. A. Customer Instructions and Use of Personal Data. Under this Agreement, Apple, acting as a data processor on Your behalf, may receive Personal Data if provided by You or on Your behalf and Your End Users. By entering into this Agreement, You instruct Apple to B. Compliance with law. You agree that You are solely liable and responsible for ensuring Your compliance with all applicable laws, including without limitation privacy and data protection laws, regarding the use or collection of data and information through the Service. You are also responsible for all activity related to Personal Data, including but not limited to, monitoring such Personal Data and activity, and preventing and addressing inappropriate data and activity, including the removal of data and the termination of access of the End User making such data available. You are responsible for safeguarding and limiting access to End User data by all persons and any of Your service providers, including Your Third Party Service Providers, with access to End User data and for the actions of all persons who are permitted access to use the Service by You. C. Data Incidents. Apple will (i) notify Institution, without undue delay and as required by law, if Apple becomes aware that there has been a breach of security of the Service leading to D. Your Audit/Inspection Rights. To the extent that the GDPR applies to the processing of Your or Your End Users’ Personal Data, Apple will provide You with the information necessary to demonstrate compliance with Article 28 of that law. In the event that You have audit rights under other applicable laws, Apple will provide You with the information necessary to demonstrate compliance with Your obligations under those laws. If you choose to exercise Your audit rights under this Section 3D, Apple shall demonstrate compliance by providing you with a copy of Apple’s ISO 27001 and ISO 27018 Certifications. E. Security Procedures. Apple shall use industry-standard measures to safeguard Personal Data during the processing of Personal Data. Encrypted Personal Data may be stored at Apple’s geographic discretion. As part of these measures, Apple will also use commercially reasonable efforts to: (a) encrypt Personal Data at rest and in transit; (b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) restore the availability of Personal Data in a timely manner in the event of a physical or technical issue; and (d) regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data. Apple may update the security features from time to time as long as the updates do not result in the degradation of the overall security of the Service. F. Security controls. Apple will assist You to ensure Your compliance with Your obligations with regards to the security of Personal Data, including Your Institution’s obligations, under Article 32 of the GDPR or equivalent obligations under applicable law, by implementing the Security Procedures set forth in Section 3E of this Agreement and by maintaining the ISO 27001 and ISO 27018 Certifications. Apple will make available for review by Institution the certificates issued in relation to the ISO 27001 and ISO 27018 Certifications following a request by You or Your Institution under this Section 3F. G. Security Compliance. Apple will take appropriate steps to ensure compliance with security procedures by Apple Personnel and Apple Service Providers and Apple shall ensure that any persons authorized to process Personal Data comply with applicable laws regarding the confidentiality and security of Personal Data with regards to the Service. H. Data Impact Assessment and Prior Consultation. Apple will reasonably assist Institution as required under applicable law, to the extent it involves Personal Data Apple has access to in connection with the Service, to ensure Institution’s compliance with any applicable obligations requiring Institution to conduct data protection impact assessments, or to consult with a supervisory authority prior to processing where such is required by law. I. Breach Notification and Cooperation. You shall promptly notify Apple in the event that You learn or have reason to believe that any person, or entity, has breached Your security measures or has gained unauthorized access to: (1) Your Personal Data; (2) any restricted areas of the Service; or (3) Apple’s confidential information (collectively, “Information Security Breach”). In the event of an Information Security Breach, You shall provide Apple with reasonable assistance and support to minimize the harm and secure the data. J. Data Transfer. If required by law, Apple will ensure that any international data transfer is done only to a country that ensures an adequate level of protection, has provided appropriate safeguards as set forth in applicable law, such as those in Articles 46 and 47 of the GDPR (e.g., standard data protection clauses), or is subject to a derogation in Article 49 of the GDPR. Such safeguards may include the Model Contract Clauses as executed by Apple, or other data transfer agreements, which You agree to enter into if required by Your jurisdiction, as executed by Apple at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇▇/▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇▇▇/. Apple’s international transfer of Personal Data collected in participating Asia-Pacific Economic Cooperation (APEC) countries abides by the APEC Cross-Border Privacy Rules (CBPR) System (▇▇▇▇://▇▇▇▇▇.▇▇▇/) and Privacy Recognition for Processors (PRP) System (▇▇▇▇://▇▇▇▇▇.▇▇▇/) for the transfer of Personal Data. In case of questions or unresolved concerns about our APEC CBPR or PRP certifications, our third-party dispute resolution provider (▇▇▇▇▇://▇▇▇▇▇▇▇▇-▇▇▇▇.▇▇▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇) can be contacted.

Data Privacy and Security. A. Customer Instructions and Use of Personal Data. Under this Agreement, Apple, acting as a data processor on Your behalf, may receive Personal Data if provided by You or on Your behalf and Your End Users. By entering into this Agreement, You instruct Apple toto process such Personal Data, in accordance with applicable law: (i) to provide and support Your use and Your End Users’ use of the Service, including any Apple features, functionality, and services You or applicable End Users enable; (ii) pursuant to Your instructions as given through Your or applicable End Users’ use of the Service (including the Web Portal and other features and functionality of the Service); (iii) as specified under this Agreement including as set forth in Exhibit A for student End Users; and (iv) as further documented in any other written instructions given by You and acknowledged by Apple as constituting instructions under this Agreement. B. Compliance with law. You agree that You are solely liable and responsible for ensuring Your compliance with all applicable laws, including without limitation privacy and data protection laws, regarding the use or collection of data and information through the Service. You are also responsible for all activity related to Personal Data, including but not limited to, monitoring such Personal Data and activity, and preventing and addressing inappropriate data and activity, including the removal of data and the termination of access of the End User making such data available. You are responsible for safeguarding and limiting access to End User data by all persons and any of Your service providers, including Your Third Party Service Providers, with access to End User data and for the actions of all persons who are permitted access to use the Service by You.End C. Data Incidents. Apple will (i) notify Institution, without undue delay and as required by law, if Apple becomes aware that there has been a breach of security of the Service leading toto the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Institution’s Personal Data (“a Data Incident”); and (ii) take reasonable steps to minimize harm and secure Institution’s Personal Data. You are responsible for providing Apple with Institution’s updated contact information for such notification purposes. Apple will also assist Institution to the extent it involves Personal Data that Apple has access to in connection with the Service, to ensure Institution complies with its obligations to provide notice of Data Incidents to supervisory authorities or data subjects as required under Articles 33 and 34 of the GDPR, if applicable, or any other equivalent obligations under applicable law. D. Your Audit/Inspection Rights. To the extent that the GDPR applies to the processing of Your or Your End Users’ Personal Data, Apple will provide You with the information necessary to demonstrate compliance with Article 28 of that law. In the event that You have audit rights under other applicable laws, Apple will provide You with the information necessary to demonstrate compliance with Your obligations under those laws. If you choose to exercise Your audit rights under this Section 3D, Apple shall demonstrate compliance by providing you with a copy of AppleApple Inc.’s ISO 27001 and ISO 27018 Certifications. E. Security Procedures. Apple shall use industry-standard measures to safeguard Personal Data during the processing of Personal Data. Encrypted Personal Data may be stored at Apple’s geographic discretion. As part of these measures, Apple will also use commercially reasonable efforts to: (a) encrypt Personal Data at rest and in transit; (b) ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) restore the availability of Personal Data in a timely manner in the event of a physical or technical issue; and (d) regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data. Apple may update the security features from time to time as long as the updates do not result in the degradation of the overall security of the Service. F. Security controls. Apple will assist You to ensure Your compliance with Your obligations with regards to the security of Personal Data, including Your Institution’s obligations, under Article 32 of the GDPR or equivalent obligations under applicable law, by implementing the Security Procedures set forth in Section 3E of this Agreement and by maintaining the ISO 27001 and ISO 27018 Certifications. Apple will make available for review by Institution the certificates issued in relation to the ISO 27001 and ISO 27018 Certifications following a request by You or Your Institution under this Section 3F. G. Security Compliance. Apple will take appropriate steps to ensure compliance with security procedures by Apple Personnel and Apple Service Providers and Apple shall ensure that any persons authorized to process Personal Data comply with applicable laws regarding the confidentiality and security of Personal Data with regards to the Service. H. Data Impact Assessment and Prior Consultation. Apple will reasonably assist Institution as required under applicable law, to the extent it involves Personal Data Apple has access to in connection with the Service, to ensure Institution’s compliance with any applicable obligations requiring Institution to conduct data protection impact assessments, or to consult with a supervisory authority prior to processing where such is required by law. I. Breach Notification and Cooperation. You shall promptly notify Apple in the event that You learn or have reason to believe that any person, or entity, has breached Your security measures or has gained unauthorized access to: (1) Your Personal Data; (2) any restricted areas of the Service; or (3) Apple’s confidential information (collectively, “Information Security Breach”). In the event of an Information Security Breach, You shall provide Apple with reasonable assistance and support to minimize the harm and secure the data. J. Data Transfer. If required by law, Apple will ensure that any international data transfer is done only to a country that ensures an adequate level of protection, has provided appropriate safeguards as set forth in applicable law, such as those in Articles 46 and 47 of the GDPR (e.g., standard data protection clauses), or is subject to a derogation in Article 49 of the GDPR. Such safeguards may include the Model Contract Clauses as executed by Apple, or other data transfer agreements, which You agree to enter into if required by Your jurisdiction, as executed by Apple at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇▇/▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇▇▇/. Apple’s international transfer of Personal Data collected in participating Asia-Pacific Economic Cooperation (APEC) countries abides by the APEC Cross-Border Privacy Rules (CBPR) System (▇▇▇▇://▇▇▇▇▇.▇▇▇/) and Privacy Recognition for Processors (PRP) System (▇▇▇▇://▇▇▇▇▇.▇▇▇/) for the transfer of Personal Data. In case of questions or unresolved concerns about our APEC CBPR or PRP certifications, our third-party dispute resolution provider (▇▇▇▇▇://▇▇▇▇▇▇▇▇-▇▇▇▇.▇▇▇▇▇▇.▇▇▇/▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇) can be contacted.