Terms & Conditions

EVALUATION AGREEMENT

PLEASE READ THIS EVALUATION AGREEMENT (‚ÄúAGREEMENT‚ÄĚ) BEFORE CLICKING THE‚ÄúACCEPT‚ÄĚ BUTTON, AND/OR USING THE ADAPTIVE REAL ESTATE, INC. (‚ÄúADAPTIVE REAL ESTATE‚ÄĚ)SOFTWARE-AS-A-SERVICE PRODUCT THAT ACCOMPANIES OR IS PROVIDED IN CONNECTIONWITH THIS AGREEMENT. BY CLICKING THE ‚ÄúACCEPT‚ÄĚ BUTTON, SIGNING AN ORDER FORMTHAT REFERENCES THIS AGREEMENT (‚ÄúORDER‚ÄĚ),AND/OR USING THE SERVICES IN ANY WAY, YOU AND THE ENTITY THAT YOU REPRESENT (‚ÄúEVALUATOR‚ÄĚ) ARE UNCONDITIONALLYCONSENTING TO BE BOUND BY AND IS BECOMING A PARTY TO THIS AGREEMENT WITHADAPTIVE REAL ESTATE. YOU REPRESENT AND WARRANT THAT YOU HAVE THE AUTHORITY TOBIND THE EVALUATOR TO THESE TERMS. IFEVALUATOR DOES NOT UNCONDITIONALLY AGREE TO ALL OF THE TERMS OF THIS AGREEMENT,USE OF THE SERVICES IS STRICTLY PROHIBITED.

¬†1.¬†¬†¬†BETA SERVICES. Adaptive Real Estate is developing aproprietary cloud-based software platform that provides automated constructionmanagement tools, including automated budgeting and expenditure trackingcapabilities (the ‚ÄúServices‚ÄĚ).Evaluator wishes to utilize an evaluation ‚Äúbeta‚ÄĚ version of the Services, andAdaptive Real Estate desires to make a beta version of the Services availableto Evaluator, subject to the following terms and conditions. Subject to theterms of this Agreement, Adaptive Real Estate hereby grants Evaluator, duringthe Term (as defined below), a non-exclusive, non-transferable,non-sublicensable right and license to access and use the Services, by and upto the number of users authorized by Adaptive Real Estate, solely for thepurpose of evaluating the performance and functionality of the Services.Evaluator agrees to use and evaluate the Services for a period of sixty days, orsuch other period as may be mutually agreed by the parties in writing or anapplicable Order (the ‚ÄúTerm‚ÄĚ).Adaptive Real Estate reserves the right to discontinue or modify the Services,in whole or in part, at any time upon notice to Evaluator without liability toEvaluator or any third party.
‚Äć
2.¬†¬†INTELLECTUAL PROPERTY. TheServices (excluding the Evaluator Content hosted thereon), Documentation (asdefined below), and all other materials provided by Adaptive Real Estatehereunder, including but not limited to all manuals, reports, records,programs, data and other materials, and all intellectual property rights ineach of the foregoing, are the exclusive property of Adaptive Real Estate andits suppliers (the ‚ÄúAdaptive Technology‚ÄĚ).Evaluator agrees that it will not, and will not permit any other party to: (a)permit any third party to access the Services or any accompanying documentation(‚ÄúDocumentation‚ÄĚ), unless otherwiseherein authorized; (b) modify, adapt, alter or translate the AdaptiveTechnology; (c) sublicense, lease, rent, loan, distribute, or otherwisetransfer the Adaptive Technology to any third party; (d) reverse engineer,decompile, disassemble, or otherwise derive or determine or attempt to deriveor determine the source code (or the underlying ideas, algorithms, structure ororganization) of the Adaptive Technology; (e) use or copy the AdaptiveTechnology except for evaluation purposes; or (f) publish or disclose to anythird party any performance benchmark tests or analyses or other non-public informationrelating to the Services or the use thereof.
‚Äć
3.¬†¬† FEEDBACK. Evaluatorunderstands and agrees that the Services represent a beta test version ofunreleased software and services that may contain bugs, defects, and errors. Inexchange for the licenses granted to Evaluator to use the Services, Evaluatoragrees to use good faith efforts to test, use, and evaluate the Services inlive operations, and to promptly report to Adaptive Real Estate, either orallyor in writing, any errors, problems, defects, or suggestions for changes andimprovements to the Services (collectively, ‚ÄúFeedback‚ÄĚ). Evaluator hereby grants to Adaptive Real Estate anon-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up,fully sublicensable and transferable right and license to use and incorporatethe Feedback into any products and services, including a commercial version ofthe Services (‚ÄúCommercial Release‚ÄĚ),and otherwise exploit the Feedback without restriction. Further, Evaluatoracknowledges and agrees that the products and services incorporating suchFeedback will be the sole and exclusive property of Adaptive Real Estate, andEvaluator will gain no right, title or interest in or to the AdaptiveTechnology or any Commercial Release by virtue of Evaluator‚Äôs provision ofFeedback to Adaptive Real Estate or for any other reason. Adaptive Real Estatehas no obligation (a) to create, distribute or otherwise offer a CommercialRelease, (b) to offer the Commercial Release to Evaluator, or (c) to offerEvaluator any discounted pricing or special terms. Evaluator understands andagrees that the Commercial Release may contain functions and functionality, andperform in a manner significantly different from the current beta version ofthe Services. Accordingly, Evaluator acknowledges that any research ordevelopment performed, or business plans made, by Evaluator regarding or inreliance upon the Services are done entirely at Evaluator‚Äôs own risk.
‚Äć
4.¬†¬†EVALUATOR CONTENT. As between the parties, Evaluatorretains all rights, title, and interest in and to any data or content submittedby Evaluator, or on its behalf, to the Services (the ‚ÄúEvaluator Content‚ÄĚ). For clarity, Evaluator Content includes dataor content which is provided via integration with Evaluator‚Äôs account on the Third-PartyProperties. Evaluator acknowledges that certain functionality in the Servicesmay be dependent on the provision of Evaluator Content and may not be availablewithout such Evaluator Content. Evaluator hereby grants Adaptive Real Estate anon-exclusive, royalty-free, fully paid, perpetual, irrevocable license to theEvaluator Content for the purpose of providing the Services. Adaptive RealEstate will have the right collect and analyze log and other data related tothe Services and the provision, use and performance and various aspects of theServices and related systems technologies (‚ÄúPerformance Data‚ÄĚ) and use such Performance Data and EvaluatorContent internally to train algorithms, to troubleshoot, improve and enhancethe Services and for other development, diagnostic, security and correctivepurposes.
‚Äć
‚Äć5.¬†¬†THIRD-PARTY PROPERTIES. The Services may allow integrations withthird party applications, products or services that may provide additionalfunctionality to the Services (‚ÄúThird-PartyProperties‚ÄĚ), including payment cards transactions monitoring servicesprovided by third party providers to enable the budget and expense trackingcapabilities of the Services (‚ÄúThird-PartyCard Monitoring Services‚ÄĚ). Such Third-Party Properties are subject to theterms and conditions (including privacy policies) governing such Third-PartyProperties and Evaluator is responsible for complying with any terms applicableto it use of the Third-Party Properties and obtaining all rights andpermissions that may be necessary to integrate Evaluator‚Äôs account on suchThird-Party Properties with the Services. Evaluator‚Äôs use of such Third-PartyProperties (and any exchange of any information, license, payments etc.) issolely between Evaluator and the applicable third-party provider, and AdaptiveReal Estate makes no warranties of any kind and assumes no liability of anykind for Evaluator‚Äôs use of such Third-Party Properties or any content importedfrom or otherwise made available through the Third-Party Properties. The use ofany Third-Party Properties is at Evaluator‚Äôs own risk.
‚Äć
6.¬†¬†¬†THIRD-PARTY CARD MONITORING SERVICES. To enable the Third-Party Card MonitoringServices, Evaluator authorizesAdaptive Real Estate‚Äôs suppliers of such services, which may include Fidel API(‚ÄúCard Monitoring Services Provider‚ÄĚ)and any applicable card network provider (e.g., Visa, Mastercard, AmericanExpress, etc.) (each a ‚ÄúCard Network‚ÄĚ)to monitor the transactions made with eligible payment cards that Evaluatorenroll or link through the Services (each a ‚ÄúCard‚ÄĚ). The data collected by Card Monitoring Services Providersmay include Evaluator‚Äôs registered card identifier, merchant, transactiondate/time, amount and other transaction elements (e.g., currency, Card Network,etc.).
6.1   Transaction Monitoring. By registering a Card in connection withThird Party Card Monitoring Services, Evaluator hereby consents and authorizesAdaptive Real Estate, Card Monitoring Services Providers, including FidelAPI,  and Card Networks to (a) share Evaluator’sCard information to activate the Third Party Card Monitoring Services; and (b)monitor and access transaction dataon Evaluator’s Card(s) to provide the Services and in order to enableEvaluator’s usage of real time transaction data for all transactions made onsuch a Card. Evaluator acknowledges it may opt-out of transaction monitoring onEvaluator’s payment card(s) at any time, by navigating to the Services accountmenu to remove the Card(s).
6.2 ¬†Card Eligibility. Evaluator acknowledges that not allVisa, MasterCard, and American Express cards are eligible for registrationincluding Visa, Mastercard, and American Express Corporate cards; Visa,Mastercard, and American Express Purchasing cards; non-reloadable prepaidcards; government-administered prepaid cards (including EBT cards); healthcareincluding Heath Savings Account (HSA) or Flexible Spending Account (FSA) orInsurance prepaid cards; Visa Buxx; Visa-Mastercard-, and AmericanExpress-branded cards whose transactions are not processed through the Visapayment system, Mastercard payment system, and/or American Express paymentsystem; and payments made through other payment methods (such as digital walletor third-party payment applications, where you may choose your Visa orMastercard card as a funding source but not present the card directly to themerchant). Additionally, certain transactions may not be eligible to bemonitored through the Services, including PIN-based purchases on debit cards,purchases initiated through identification technology that substitutes for aPIN, or transactions that are not processed or submitted through Card Network‚Äôspayment systems. If you register a debit card, your transaction must beprocessed as a ‚Äėcredit‚Äô (i.e., signature) transaction to make sure thetransaction can be monitored. Do not use a Personal Identification Number (PIN)when paying for your purchases with your enrolled card if you want thetransaction to be available for view or action through the Services.
‚Äć
7.  FEES. The fees, if any, applicable to Evaluator’s use of theServices during the Term will be set forth in a mutually agreed upon Order forthe Services. Evaluator will pay the fees set forth in such Order in accordancewith the payment terms set forth therein. All fees are non-recoupable andnon-refundable.
‚Äć
8.¬†¬†DISCLAIMERS; NO WARRANTIES. Evaluator acknowledges and agrees that theAdaptive Technology and any other Third-Party Properties are not intended to bea substitute for human oversight or review. Evaluator is solely responsible (a)for reviewing and approving any information or suggestions provided by theAdaptive Technology or any Third-Party Properties, including but not limited toreviewing and approving all suggested payments to any third parties; and (b) forany decisions made or actions taken based on the Adaptive Technology or anyThird-Party Properties. EVALUATOR AGREES THAT THE ADAPTIVE TECHNOLOGY AND ANYTHIRD PARTY-PROPERTIES (including services provided by Fidel API and CardNetworks) PROVIDED WITH THE SERVICES ¬† ¬† ¬†AREBEING PROVIDED ON AN EVALUATION BASIS ONLY. ACCORDINGLY, THE ADAPTIVETECHNOLOGY, INCLUDING ANY THIRD-PARTY PROPERTIES PROVIDED THEREUNDER, ARE ¬† ¬† ¬†LICENSED AND PROVIDED ‚ÄúAS IS‚ÄĚ AND ON AN ‚ÄúASAVAILABLE‚ÄĚ BASIS. ADAPTIVE REAL ESTATE, CARD NETWORKS, AFFILIATES, AND THIRDPARTY PROVIDERS (INCLUDING FIDEL API), LICENSORS, DISTRIBUTORS, AND SUPPLIERS(COLLECTIVELY, THE ‚ÄúADAPTIVE PARTIES‚ÄĚ)HEREBY DISCLAIM ¬† ¬† ¬†ALLWARRANTIES WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE WITH RESPECT TO THEADAPTIVE TECHNOLOGY, THE OPERATION AND RESULTS THEREOF, THE THIRD PARTYPROPERTIES (INCLUDING FIDEL API SERVICES AND CARD NETWORKS) AND EVALUATOR‚ÄôSACCESS TO AND USE THEREOF. THE ADAPTIVE ¬† ¬† ¬†PARTIES(INCLUDING FIDEL API AND CARD NETWORKS) SPECIFICALLY DISCLAIM ¬† ¬† THE IMPLIED WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT, OR THE ACCURACY,RELIABILITY, QUALITY OF ANY INFORMATION PROVIDED BY THE SERVICES OR ANY CONTENTIN OR LINKED TO THE SERVICES. THE ADAPTIVE PARTIES (INCLUDING FIDEL API ANDCARD NETWORKS) DO NOT WARRANT THAT THE ADAPTIVE TECHNOLOGY WILL BE ERROR-FREEOR THAT IT WILL WORK WITHOUT INTERRUPTION OR MEET EVALUATOR‚ÄôS EXPECTATIONS.EVALUATOR AGREES THAT THE ADAPTIVE PARTIES (INCLUDING FIDEL API AND CARD NETWORKS)WILL NOT BE RESPONSIBLE FOR ANY LOSS OF EVALUATOR DATA OR ANY FAILURE TOMAINTAIN, STORE, OR BACKUP ANY EVALUATOR CONTENT.
‚Äć
9.  LIMITATION OF LIABILITY. IN NO EVENT WILL ADAPTIVE REAL ESTATE OR      THEADAPTIVE PARTIES (INCLUDING FIDEL API AND CARD NETWORKS) BE LIABLE TO EVALUATOROR ANY THIRD PARTY FOR THE COST OF PROCUREMENT OF SUBSTITUTE SERVICES, LOSTPROFITS, LOST CONTENT OR DATA, OR ANY SPECIAL, INDIRECT, CONSEQUENTIAL,INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITYARISING IN ANY WAY OUT OF THIS AGREEMENT OR EVALUATOR’S USE OF THE SERVICES,EVEN IF ADAPTIVE REAL ESTATE OR THE ADAPTIVE PARTIES (INCLUDING FIDEL API ANDCARD NETWORKS) HAVE      BEEN ADVISED OF THE POSSIBILITY OF SUCHDAMAGES. THE TOTAL CUMULATIVE LIABILITY, RELATED TO THIS AGREEMENT, OF THEADAPTIVE PARTIES      SHALL BE LIMITED TO THE GREATER OF (A) FEESPAID BY EVALUATOR UNDER AN ORDER, IF ANY; OR (B) FIFTY DOLLARS (U.S. $50). Theparties agree that the limitations of liability set forth in this section shallsurvive and continue in full force and effect despite any failure ofconsideration or of an exclusive remedy. The parties acknowledge that theprices have been set and the Agreement entered into in reliance upon theselimitations of liability and that all such limitations form an essential basisof the bargain between the parties.
‚Äć
10.¬†¬†CONFIDENTIALITY. ‚ÄúConfidentialInformation‚ÄĚ means any information of a confidential or non-public naturedisclosed by one party as a disclosing party to the other party as a receivingparty that is either designated as confidential or proprietary at the time ofdisclosure or should be reasonably understood to be confidential in light ofthe nature of the information and the circumstances surrounding disclosureEvaluator and Adaptive Real Estate agree that it will use the ConfidentialInformation of the other party solely to perform its obligations and exerciseits rights under this Agreement and it will not disclose, or permit to bedisclosed, the same, except that Adaptive Real Estate may disclose Evaluator‚ÄôsConfidential Information to its service providers that are subject toconfidentiality obligations for the purpose of enabling Adaptive Real Estate toexercise its rights and perform its obligations under this Agreement, or asotherwise permitted hereunder. However, either party may disclose ConfidentialInformation (a) to its employees, officers, directors, attorneys, auditors,financial advisors and other representatives (collectively, ‚ÄúRepresentatives‚ÄĚ) who have a need toknow and are legally bound to keep such information confidential byconfidentiality obligations with respect to the Confidential Information of theother party consistent with those of this Agreement (provided that the partydisclosing the Confidential Information to its Representatives shall beresponsible for any actions of its Representatives); and (b) as required by law(in which case the receiving party will provide the disclosing party with priorwritten notification thereof, will provide the disclosing party with theopportunity to contest such disclosure, and will use its reasonable efforts tominimize such disclosure to the extent permitted by applicable law). Theobligations of confidentiality in this Section shall not apply to information that:(i) is or becomes generally known or publically available through no fault ofreceiving party; (ii) was properly known to receiving party, withoutrestriction, prior to disclosure by the disclosing party; (iii) was properlydisclosed to the receiving party, without restriction, by another person withthe legal authority to do so; or (iv) is independently developed by thereceiving party without use of or reference to the disclosing party‚ÄôsConfidential Information. Each party agrees to exercise due care in protectingthe Confidential Information of the other party from unauthorized use anddisclosure. In the event of actual or threatened breach of the provisions ofthis Section, the non-breaching party will be entitled to seek immediateinjunctive and other equitable relief, without waiving any other rights orremedies available to it. Evaluator will use reasonable efforts to prevent anyaccess to the Services by anyone other than its employees who are obligated tocomply with the terms hereof.
‚Äć
11.  DATA PRIVACY. Adaptive Real Estate and Evaluator agreeto the terms of the Data Protection Addendum (Exhibit A).
‚Äć
12. TERM AND TERMINATION. This Agreement commences the earlier of(a) the date of acceptance of this Agreement, (b) the date of first use of theServices, or (c) the effective date of an Order (if any), and will continue ineffect until the end of the Term. Either party may terminate this Agreementwithout cause at any time by giving ten (10) days’ written notice to the otherparty. Upon termination of this Agreement, (a) all licenses and other rightsand obligations will immediately terminate except that Sections 2, 3,4 and      6through 13      will survive indefinitely; (b) Evaluator shallimmediately (i) cease all use of Services, and (ii) delete or destroy allcopies of the Documentation in the possession or control of Evaluator.
‚Äć
13.  GENERAL PROVISIONS. This Agreement will be governed by thelaws of the State of California. Evaluator submits to the exclusivejurisdiction and venue of the federal and state courts located in San MateoCounty, California for any disputes arising out of or related to this Agreement.Evaluator may not assign or transfer, by operation of law, change of control orotherwise, any of its rights under this Agreement to any third party withoutAdaptive Real Estate’s prior written consent. Any attempted assignment ortransfer in violation of the foregoing will be void. All waivers must be inwriting. Any waiver or failure to enforce any provision of this Agreement onone occasion will not be deemed a waiver of any other provision or of suchprovision on any other occasion. If any part of this Agreement is found voidand unenforceable, it will not affect the validity of the balance of thisAgreement, which shall remain valid and enforceable according to its terms. Ifany provision of this Agreement is, for any reason, held to be invalid orunenforceable, the other provisions of this Agreement will remain enforceableand the invalid or unenforceable provision will be deemed modified so that itis valid and enforceable to the maximum extent permitted by law. ThisAgreement, including any applicable Order, which is hereby incorporated byreference into and form a part of the Agreement, is the sole agreement of theparties concerning the subject matter hereof, and supersedes all prioragreements and understandings with respect to said subject matter. Except asexpressly stated in an Order, in the event of a conflict between the terms ofthis Agreement and the terms of an Order, the terms of this Agreement willcontrol.

EXHIBIT A

DATA PROTECTION ADDENDUM

Evaluator has entered into an evaluationagreement (as amended from time to time, the ‚ÄúAgreement‚ÄĚ) with Adaptive Real Estate, Inc. (‚ÄúVendor‚ÄĚ), under which Vendor has agreed to provide the certainservices described therein (‚ÄúServices‚ÄĚ)to Evaluator. ¬†This Data Protection Addendum, includingits appendices (the ‚ÄúAddendum‚ÄĚ), supplements and forms part of the Agreement.

1.  DEFINITIONS. For purposes of this Addendum, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.

2.  DURATION AND SCOPEOF ADDENDUM. This Addendum will, notwithstanding the expiration of the Agreement, remain in effect until, and automatically expire upon, Vendor’s deletion of all Personal Data. Annex 1 (California Annex) to this Addendum, applies to Personal Data or the processing thereof subject to the CCPA.  

3.  PERSONAL DATAPROCESSING. Vendor will process Personal Data only in compliance with Applicable Data Protection Laws and only as necessary to perform its obligations and exercise its rights under the Agreement.

4.  SECURITY.

5.  DATA SUBJECT RIGHTS.

6. AUDITS. Evaluator may audit Vendor’s compliance with its obligations under this Addendum up to once per year and on such other occasions as may be required by Applicable Data Protection Laws. If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Evaluator’s audit request and Vendor has certified in writing that there are no known material changes in the controls audited, Evaluator agrees to accept such report lieu of requesting an audit of such controls or measures. The audit must be conducted during regular business hours, and may not unreasonably interfere with Vendor business activities. Any audits are at Evaluator’s expense unless the audit identifies noncompliance with this Addendum in any material respect, in which case Vendor will reimburse Evaluator for all of its out of pocket costs and expenses associated with the audit.

7.  SUBPROCESSORS.

‚Äć‚Äć8.¬†¬†TERMINATION. Upon termination of Evaluator‚Äôs access to the Services, Vendor shall delete or cause the deletion of all Personal Data in the care, custody or control of Vendor and any Subprocessor as soon as reasonably practicable, except to the extent retention thereof is required bylaw.

9.  PROHIBITED DATA. Evaluator represents and warrants to Vendor that Evaluator has not provided and will not provide, without Vendor’s prior written consent, the following for Evaluator to Process: any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age.

‚Äć10.¬†MISCELLANEOUS. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. The requirements of this Addendum are in addition to and not in lieu of the requirements of the Agreement. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern. ¬†

ANNEX 1

California Annex

1.¬†Vendor shall not retain, use, or disclose any Personal Data that constitutes ‚Äúpersonal information‚ÄĚ under the CCPA (‚ÄúCA Personal Information‚ÄĚ) for any purpose other than for the specific purpose of providing the Services, or as otherwise permitted by CCPA, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in CCPA) other than providing the Services.
‚Äć
2.  Vendor shall not (a) sell any CA Personal Information; (b) retain, use or disclose any CA Personal Information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the CA Personal Information for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (c) retain, use or disclose the CA Personal Information outside of the direct business relationship between Vendor and Evaluator. Vendor hereby certifies that it understands its obligations under this Section 2 and will comply with them.

3.  Provision of the Services encompasses the processing authorized in Section 3 of the Addendum.

4.  Notwithstanding anything in the Agreement or any order form entered in connection therewith, the parties acknowledge and agree that Vendor’s access to CA Personal Information is not part of the consideration exchanged by the parties in respect of the Agreement.

ANNEX 2

Security Measures

At all times that the Vendor processes Personal Data, Vendor will have implemented and maintain the following Security Measures:

1. Formal written information security policies and procedures designed to protect the confidentiality, availability and integrity of Personal Data and any systems that store or otherwise process it, which are aligned with an industry-standard control framework (e.g., NIST SP 800-53, ISO 27001, SOC 2 Type 2, CIS Critical Security Controls); approved by executive management; reviewed and updated at least annually; and communicated to all personnel with access to Personal Data.

2.  Training all personnel with access to Personal Data on their and the Vendor’s data protection obligations.  

3.  Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Vendor’s organization, monitoring and maintaining compliance with Vendor’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

4.  Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available and industry standard encryption technologies for Personal Data that is (a) transmitted over public networks(i.e. the Internet) or when transmitted wirelessly; or (b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).

5.  Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions (e.g. granting access on a need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access when employment terminates or changes in job functions occur).

6. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Vendor passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Vendor’s computer systems; (iii) must be changed every ninety (90) days; (iv) must have defined complexity; (v) must have a history threshold to prevent reuse of recent passwords; and (vi) newly issued passwords must be changed after first use.

7.  Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Vendor facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

8.  Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Vendor’s technology and information assets.

9.  Incident /problem management procedures designed to allow Vendor to investigate, respond to, mitigate and notify of events related to Vendor’s technology and information assets.

10. Network security controls that provide for the use of enterprise firewalls, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

11.  Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

12.  Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.