13 lines
4.8 KiB
Plaintext
13 lines
4.8 KiB
Plaintext
|
|
This Data Security Policy ("Data Security Policy") is provided by LAB6IX, Inc., on behalf of itself and its Affiliates ("Lab6ix") to each Lab6ix end-user customer ("Customer") subject to the terms and conditions of the Master Services Agreement or other applicable license agreement ("License Agreement") between each Customer and Lab6ix or between a Customer and an authorized Lab6ix channel partner. In the event of a conflict between the License Agreement and this Data Security Policy, the terms of the License Agreement shall govern. Capitalized terms not otherwise defined herein shall have the meaning set forth in the License Agreement.
|
|
|
|
1.1 Protection of Customer Data and Personal Data. Lab6ix will maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Data and Personal Data, including, but not limited to, measures designed to prevent unauthorized access to or disclosure of Customer Data and Personal Data. The information security program may include, but is not limited to an appropriate software development life cycle (SDLC), access control mechanisms such as multi-factor authentication, encryption of certain data in transit and at rest, regular third party and internal information security testing, regular information security awareness training, and background screening of employees.
|
|
|
|
1.2 Security Management and Third-Party Security Audit. Lab6ix will maintain an externally accredited and business-wide Information Security Management System based on ISO 27001, or equivalent, as recommended by good industry practice, as applicable. Lab6ix engages an industry-recognized third-party auditor to conduct a SOC 2 security audit ("SOC 2") on at least an annual basis. Lab6ix will, upon written request, provide Customer with copies of its then-current SOC 2, including the applicable scope.
|
|
|
|
1.3 Customer Audit. Customer may, at its sole cost and expense, upon no less than thirty (30) business days' advance written notice to Lab6ix, and no more than once per calendar year, perform, and Lab6ix will reasonably assist with (during regular business hours), a remote vendor risk assessment ("VRA"). The VRA shall consist of a review of Lab6ix's security related documentation (at a scope to be mutually agreed) regarding its compliance with this Data Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Lab6ix's compliance with this Data Security Policy, and Lab6ix will make appropriate personnel reasonably available (during regular business hours) to answer such questions related to Lab6ix's compliance with this Data Security Policy. In the event of a Security Breach that requires reporting to a supervisory authority or other governmental authority, Customer may conduct an additional VRA on no less than thirty (30) business days' notice. In addition to Customer's audit rights herein, Lab6ix will reasonably cooperate and respond (during regular business hours) to Customer's annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Lab6ix's Confidential Information.
|
|
|
|
1.4 System Protection & Disaster Recovery. Lab6ix has disaster recovery and business continuity plans, and reviews each, and tests its disaster recovery plan, annually. Upon request, Lab6ix will provide a summary of its disaster recovery and business continuity planning and management practices, and the same shall be treated as Lab6ix's Confidential Information under this Data Security Policy.
|
|
|
|
1.5 Security Breach. Lab6ix will notify Customer without undue delay after detecting a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Lab6ix (any such incident, a “Security Breach”). Such notification will include (to the extent known by Lab6ix): (a) a description of the nature of the Security Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned); (b) the details of a contact point where more information concerning the Security Breach can be obtained; (c) its likely consequences; and (d) the measures taken or proposed to be taken to address the Security Breach, including to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
|