Information Security Policy
A. Information Security Program – TEAM Software, Inc. (“TEAM”) agrees and represents that it currently maintains information protection and procedures (“Security Program”) that complies with industry best practice designed to preserve the confidentiality and security of client information in its possession or control or of which it has the ability to access or impact and to protect client systems which it accesses or contacts.
TEAM’s Security Program includes:
- Appropriate administrative, technical, and physical safeguards and other security measures designed to ensure the security and confidentiality of client information.
- A security design intended to prevent any compromise of its own information systems, computer networks or data files by unauthorized users, viruses or malicious computer programs which could in turn be propagated to client.
- Appropriate internal practices including, but not limited to, using appropriate firewall and antivirus software; maintaining these countermeasures, operating systems and other applications with up-to-date virus definitions and security patches so as to avoid any adverse impact to client’s systems or information; appropriate logging and alerts to monitor access controls and to assure data integrity and confidentiality; installing and operating security mechanisms in the manner intended sufficient to ensure client business operations must not be disrupted; and permitting only authorized users access to systems and applications; and prevent unauthorized access to client’s systems via TEAM’s networks and access codes.
- All persons with authorized access to Client Information must have a genuine business need- to-know prior to access.
B. Training and Supervision – TEAM agrees that it maintains adequate training programs to ensure that its employees and any others acting on its behalf are aware of and adhere to its information security program. TEAM shall exercise necessary and appropriate supervision over its relevant employees to maintain appropriate confidentiality and security of Client Information.
C. Data Incidents – TEAM agrees to immediately notify Client of any reasonably suspected or actual loss of data or breach or compromise of it Information Security Program which has or may result in the loss or unauthorized access, disclosure, use or acquisition of Client Information (including hard copy records) or otherwise presents a potential threat to any Client systems (“Data Incident”). While the initial notice may be in summary form, a comprehensive notice will be given within 48 hours. The notice shall summarize in reasonable detail the nature and scope of the Data Incident (including each data element type that relates to a customer or Client employee, if any) and the corrective action already taken or to be taken by TEAM. TEAM shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with
Client in all reasonable efforts to mitigate the adverse affects of Data Incident and to prevent its recurrence. The parties will collaborate on whether any notice of breach is required to be given to any person, and if so, the content of that notice.
D. Third Parties – TEAM shall not share, transfer, disclose or otherwise provide access to any Client Information to any third party unless Client has authorized TEAM to do so in writing. TEAM will ensure that any third party it may authorize to perform any of the services required by its contract with Client shall be obligated to have an Information Security Program equivalent to that required of TEAM (which includes all terms of this Security Addendum). Further, regarding any Data Incident, TEAM shall contractually preserve for itself – or Client – all such rights as Client has in section (C) above. Regarding audit rights, TEAM shall contractually preserve for itself – or Client – all such rights as Client has in section (F) below. TEAM shall not share Client Information with any other third party without prior written approval or, if required to comply with legal process, only after notice to Client. TEAM shall only retain third parties that are capable of performing the delegated obligations in accordance with this Information Security Addendum.
E. Ownership and Usage – Any identifiable Client Information shall remain the sole property of Client, unless agreed otherwise in writing by Client. Any usage of Client Information is limited to the sole purpose expressly authorized by this contract.
F. Security Review and Audit
- TEAM will conduct periodic reviews of its Information Security Program.
- At Client’s request, TEAM will provide Client copies of its data privacy and security policies and procedures that apply to Client Information. Subject to reasonable notice, TEAM will provide Client an opportunity to conduct a privacy and security audit of TEAM’s Information Security Program and systems and procedures that are applicable to the services provided
by TEAM to Client.
G. Compliance – TEAM shall comply with all applicable legal requirements (federal, state, local and international laws, rules and regulations and governmental requirements) currently in effect and as they become effective, relating to the privacy, confidentiality or security of Client Information.
H. Secure Disposition — TEAM shall either return or dispose of Client Information if no longer needed for Client’s business or legal purposes.