Data Security Schedule
Omatic Security Policy
Omatic shall provide the Services in accordance with the terms and conditions regarding data security set forth herein, as well as in accordance with all applicable laws relating to data privacy and security. Omatic shall also cooperate and use best efforts to comply with any requests or instructions issued by any governmental or regulatory authority in respect of Client Confidential Information and personally identifiable information within the Client Data (collectively, the “Protected Data”). Omatic shall provide to Client a summary copy of Omatic’s written information security program and plan upon request, and will continue to supply Client with material updates to this program and plan.
Omatic will establish and maintain appropriate electronic, physical and organizational security procedures, measures and controls to guard against the destruction, loss, unauthorized access or disclosure, usage or alteration of Protected Data in the possession of Omatic, that are no less rigorous than those maintained by Omatic for its own information of a similar nature. Omatic shall use commercially reasonable efforts designed to ensure that Protected Data will be accessible by only the individuals involved in the provision, development, production and support of the Services; and (iii) any inadvertent disclosure or discovered potential risk of unauthorized access will be communicated promptly to Client to the extent permitted by law. Omatic agrees to not sell, provide, distribute, or make available Protected Data to any third party, with the exception of law enforcement or regulatory authorities upon requirements. Protected Data will not be used for any purpose outside of the scope of this Agreement.
Omatic has implemented and maintains information security practices designed to meet the following objectives:
- Access controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing Protected Data to unauthorized individuals who may seek to obtain this information through fraudulent means;
- Access restrictions at physical locations containing Protected Data, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;
- Encryption of electronic Protected Data while in transit and while in storage;
- Segregation of duties, and new hire employee background checks for employees with responsibilities for or access to Protected Data;
- Response programs that specify actions to be taken when Omatic or a Client suspects or detects that unauthorized individuals have gained access to Omatic information systems, including appropriate reports to regulatory and law enforcement agencies; and
- Appropriate technological measures including data leakage prevention tools to monitor and control the movement of Protected Data through email, internet and personal storage devices and to protect against accidental loss, destruction, damage, alteration or disclosure; and
Upon discovery, Omatic agrees to notify Client of any unauthorized disclosure, access to, or misuse of Protected Data (“Breach”) and confirm receipt by Client as soon as possible, but in no event shall such notification and confirmed receipt by the Client be later than 10 business days following discovery of the Breach. Unless Omatic has used secure communication channels, such notification shall not contain any Protected Data. Notwithstanding the foregoing, Omatic may delay notification of a Breach if a law enforcement agency determines that such notification will impede a criminal investigation; such notification will then occur promptly after the law enforcement agency determines that it will not compromise the investigation.
Notification to Client of a Breach is to be made by phone and electronically via email. Neither party may delay or interfere with any required notification of clients, consumers, regulatory agencies, or law enforcement of such a discovered or suspected incident, except as explicitly requested by involved law enforcement agencies.
Notification shall include the nature of the information lost or disclosed, how the loss or disclosure happened, the identity of all Clients or consumers potentially affected, the status of any internal or regulatory or law enforcement investigation, and any actions taken or required by either party to stop or limit any significant harm or inconvenience to the Client or any affected Clients or consumers. Each party shall remain responsible for notification of its own Clients, regulators, and law enforcement agencies of any such discovered or suspected Breaches required by laws applicable to such party and this Agreement.
No Unauthorized Access
Except in connection with providing the Services, Omatic will not access Client’s data, computing systems and/or networks without Client’s express authorization and any such actual or attempted access shall be in accordance with the written authorization provided by Client. Under no circumstances shall Omatic personnel or contractors operate any electrical or mechanical device controlling any part of the equipment of any Client facility except with the explicit permission of an authorized Client representative. Unless authorized by Client in advance and in writing, Omatic and its employees shall not load or use any software products or materials within Client’s systems or environments. Omatic shall take all necessary steps to ensure that its personnel comply with this provision, and that, to the extent any personnel has access to Client’s systems or environments, all of its employees are instructed to conform to Client’s reasonable requirement.
All Omatic employees, independent contractors, and sub-contractors providing Services to Client or with access to the premises, records or data of Client shall have been screened by the Omatic and subjected to detailed pre-employment background checks (including federal, state and county of residence criminal background checks). Omatic shall not knowingly permit any Omatic employee or contractor to have access to the premises, records or data of Client when such person has been convicted of a crime in connection with a dishonest act or a breach of trust.