Privacy and Data Security Terms

These Privacy and Data Security Terms (“Terms”) are by and between De Lage Landen Financial Services Canada Inc. and its affiliates (“DLL”) and the vendor, supplier, service provider, business partner, dealer or other entity on whose behalf these Terms are being acknowledged (the “Company”, and with DLL, individually, a “Party”, and collectively, “Parties”). Where any other agreements have been duly executed by DLL and the Company (collectively, the “Agreement”) in connection with which the Company receives or will receive DLL Confidential Information, notwithstanding anything to the contrary in the Agreement, these Terms are subject to and are hereby incorporated as part of the Agreement. In the event of a conflict between the terms of the Agreement and these Terms, these Terms shall prevail with respect to the subject matter of the conflict. All capitalized terms used but not otherwise defined in these Terms shall have the meaning ascribed to such term in Schedule “A”.

In consideration of DLL’s use of the Company to perform services and/or DLL providing the Company access to DLL’s Confidential Information, and for other good and valuable consideration, the receipt and sufficiency of which are acknowledged, and intending to be legally bound, the Company herby acknowledges and agrees:

1. Compliance with Requirements and Applicable Laws.

Company and its authorized employees, agents, contractors, subcontractors, or service providers (“Representatives”) shall comply with these Terms (“Basic Requirements”) as long as they have access to Confidential Information, regardless of whether any Agreement has been terminated. The Company warrants and represents that it will comply with all Applicable Laws with respect to any Confidential Information or PII received, collected, used, disclosed or stored by the Company pursuant to the Agreement. The Company shall be liable for any acts or omissions of its Representatives in breach of the Agreement or these Terms to the same extent as if it had committed such acts or omissions directly. DLL may, from time to time, update these Terms to include additional, new, or updated privacy and data security requirements (“Additional Requirements”, and collectively with the Basic Requirements, the “Requirements”). The Company shall (and shall ensure that its Representatives) comply with such Additional Requirements within thirty (30) days of receipt of such notice or a longer time period as otherwise determined by DLL at its sole discretion. In the event that the Company fails to or reasonably determines that it will not be able to comply with the Additional Requirements within the agreed upon time period, Company shall notify DLL in writing and DLL shall have the right to either extend the time period or terminate the Agreement or any applicable order form, statement of work, or other supplement to the Agreement immediately upon notice to Company.

2. Privacy

Limitations on Use and Disclosure of Confidential Information.
Confidential Information may only be collected, used, disclosed or stored for the sole purpose of fulfilling the Company’s obligations pursuant to the Agreement, and as otherwise required or permitted by DLL. The Company shall not disclose, sell, assign, or transfer to any third party, including a subcontractor, or otherwise dispose of any Confidential Information without the prior written permission of DLL, except to the extent that a disclosure or transfer is required by law or otherwise permitted by other agreements between DLL and the Company. Furthermore, no Confidential Information may be otherwise commercially exploited by or on behalf of the Company or its Representatives. The Company will implement and maintain reasonable and appropriate security measures in accordance with all Applicable Laws to protect Confidential Information from any unauthorized use, disclosure, modification, destruction, storage or processing.

To the extent applicable, the Company will use commercially reasonable efforts to ensure that the systems of Company and its Representatives that access, use or contain Confidential Information shall be logically separated from those systems supporting third parties. The supplier shall provide evidence of such certifications to DLL, with prompt notice to DLL in the event any of those certifications are suspended, withdrawn, terminated, or otherwise materially changed.

Instructions Regarding Confidential Information
To the extent applicable, the Company shall (i) comply with any and all instructions it receives from DLL regarding any Confidential Information (including, but not limited to, restricting and/or prohibiting subsequent disclosures of such information, providing a copy of all such information, or permanently deleting and/or securely destroying such information), and (ii) otherwise assist DLL as necessary in order to permit DLL to comply with any Applicable Laws.

Destruction of Confidential Information
Within five (5) business days following Company’s receipt of DLL’s instructions to destroy any Confidential Information, the Company shall securely destroy such Confidential Information in accordance with this Section and provide written confirmation of the same to DLL. Any measures employed by the Company to destroy or dispose of Confidential Information as required per the terms of the Agreement or these Terms shall be secure and in line with industry best practices. All Confidential Information must be rendered unreadable and unrecoverable regardless of the form (physical or electronic), this process may include the use of logical deletion/data scrubbing or degaussing techniques depending on sensitivity of the Confidential Information involved.

3. Data Security

Written Plan.
The Company represents and warrants that it has adopted, documented, implemented and shall adhere to a commercially reasonable written information security plan for maintaining physical, organizational, administrative, and technical controls to protect all Confidential Information in any medium or format in the Company’s custody or control against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, use, and access, and against all other unlawful activities in compliance with the requirements set out in Schedule “B” (the “Plan”). The Company will periodically, but no less than annually, assess and update its Plan as necessary. The Company will, to the extent any material weakness is found, take appropriate action, promptly under the circumstances, to remedy such weakness.

Network and Systems Security and Monitoring.
The Company will implement network protection mechanisms meeting industry best practices for all Company networks which access Confidential Information. All electronic Confidential Information being stored by or on behalf of the Company will reside behind an industry standard and securely configured firewall and the Company will utilize industry standard authentication and intrusion detection technologies to prevent unauthorized destruction, loss, disclosure, use or alteration of or access to Confidential Information. At a minimum, firewalls and intrusion detection systems or intrusion prevention systems shall be utilized for Internet-connected networks. Firewalls shall only allow network traffic that is explicitly known or authorized. All other network traffic shall be denied. The Company will minimize access by means of wireless networking to Confidential Information and will ensure that authentication, encryption, and security for any such wireless network meets generally accepted industry best practices. Access to Confidential Information over the public Internet shall be restricted to only allow connections that originate from IP addresses pre-authorized by the Company and otherwise denied. Additionally, the Company agrees that when electronic Confidential Information is transmitted over public or third party networks or when being stored or transported outside of the Company’s systems or facilities, including any storage in any portable device or medium (e.g. laptops, tablets, phones, flash drives), such Confidential Information will be encrypted using encryption technologies consistent with industry best practices and the then-current applicable National Institute of Standards and Technology (“NIST”) guidance.

Access Controls and Identity Management.
The Company will:

  1. limit access rights to Confidential Information to only its Representatives with a need for such access;
  2. prior to providing such Representatives with access rights, advise them of the confidential nature of such information and systems and contractually obligate them to abide by the Requirements; and
  3. use multi-factor authentication, where feasible, and appropriate password policies.

Security Awareness and Training.
The Company represents and warrants that it has a Security Program instructing its Representatives how to protect Confidential Information. All Company personnel with access to Confidential Information shall complete initial security awareness training by the Company proportional to the Confidential Information being shared by DLL with the Company, prior to receiving access to Confidential Information, and receive annual refresher training thereafter.

4. Security Incidents

Upon occurrence of a Security Incident.
If the Company or a Representative discovers or is notified of any Security Incident, which shall include any security event requiring notification to individuals or regulators under Applicable Law, the Company will notify DLL no later than forty-eight (48) hours after becoming aware of the Security Incident. Notice of a Security Incident shall be made to DLL’s Privacy Director by email at canadianprivacy@dllgroup.com or by phone: +1 416-357-3280. The Company shall (i) investigate and preserve all records and other evidence related to the Security Incident and take all appropriate actions to remediate the effects of the Security Incident and mitigate any risks that might arise from the Security Incident, (ii) provide DLL with a written report on the outcome of its investigation including any risk to Confidential Information, the corrective actions it will take, or has taken, and such other information as DLL may reasonably request, (iii) provide DLL with assurances reasonably satisfactory to DLL that such Security Incident shall not recur. No independent action to correct a Security Incident that could affect DLL shall be taken by the Company without prior notice to DLL unless failure to immediately respond will result in irreparable harm to DLL.

External Notifications.
DLL may disclose the occurrence of a Security Incident involving PII in connection with notice to Data Subjects, governmental authorities, law enforcement agencies, or any other notice required by law or deemed necessary or prudent at DLL’s sole discretion (“Notifications”). The Company or its Representatives may not issue any public statement or notify potentially affected DLL borrowers, customers, consumers or vendors about a Security Incident without DLL’s prior written consent, unless required by law in which case the Company shall promptly notify DLL. DLL shall exclusively control the contents of any such statement or Notification, as allowed by Applicable Laws.

Cooperation and Company Contact.
The Company shall cooperate in good faith with DLL in DLL’s handling of any Security Incident, including without limitation any investigation, reporting, the timing and manner of any Notifications, or other obligations required by Applicable Laws or as otherwise required by DLL to investigate, respond to and mitigate any damages caused by the Security Incident.

5. DLL Due Diligence and Compliance Reviews

As periodically requested by DLL, the Company shall, at its own cost and expense, promptly complete DLL’s requests for information regarding the Company’s privacy and data security practices. DLL or its auditors have the right to review any books or records relating to the Company’s and its Representatives’ compliance with the Requirements during normal business hours, and the Company shall cooperate and furnish information as requested in connection with any such review (these may include service organizational control reports). Any such reviews by DLL will be conducted upon at least ten (10) business days’ advance notice, and will not materially disrupt the Company’s business operations. Company will promptly correct any deficiency or non-compliance with the Requirements identified and notified by DLL.

6. Company’s Obligation to Assist

The Company will give DLL or its auditors all necessary assistance to conduct such audits in compliance with Applicable Laws. The assistance may include, but is not limited to:

  1. physical access to, remote electronic access to, and copies of the records and any other information held at the Company’s premises or on systems storing personal information;
  2. access to and meetings with any of the Company’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
  3. Inspection of all records and the infrastructure, electronic data or systems, facilities, equipment, or application software used to store, process, or transport personal information.

7. Rights of Data Subjects

The Company shall inform DLL immediately, and at least within twenty-four (24) hours, if a Data Subject has filed a request to exercise its rights under applicable data protection laws and regulations. The Company shall assist DLL with all information requests which may be received from any Data Subject in relation to any Confidential Information. The Company will only communicate with the Data Subjects and handle requests after the prior written consent of DLL.

Company may have custody or control of PII in which individuals have certain rights under Applicable Laws in connection with PII (such rights, individually and collectively, “Personal Data Rights”). Personal Data Rights may include, without limitation, the right (a) to receive a copy of PII in Company’s custody or control, (b) to receive information about the use and disclosure of PII, and/or (c) to require that certain actions be taken with respect to PII, including deleting, correcting, accessing, or receiving a copy of PII in a portable format and prohibiting or limiting certain uses or disclosures of PII. In the event that Company receives a Personal Data Rights request from an individual, Company shall immediately notify DLL (email sufficing) of such request. Company shall, at its own expense, assist DLL in fulfilling any Personal Data Rights requests with respect to PII in the custody or control of Company, in conducting any assessments of the impact of processing activities on privacy or data protection, in protecting the security of PII, in responding to a governmental request or investigation concerning such PII, and/or otherwise in complying with Applicable Laws relating to such PII. Company shall not (i) sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic means, any Confidential Information (including, but not limited to, any PII) to any third-party for monetary or other valuable consideration, (ii) retain, disclose, use, or otherwise process any Confidential Information for any purpose (including any commercial purpose) other than the specific purpose of performing the services specified in the Agreement or otherwise agreed by the Parties, and/or (iii) retain, use, or disclose any Confidential Information outside of the direct business relationship between Company and DLL. Company hereby certifies that it understands the restrictions described in the previous sentence and shall comply with them.

8. Indemnification

In addition to any indemnification obligations of the Company to DLL under the Agreement, the Company shall indemnify and hold harmless DLL, its affiliates, and its and their respective employees, officers, directors, shareholders, managers, members, and agents, for all out-of-pocket costs, damages, losses, judgments, settlements, and expenses (including, but not limited to, reasonable legal fees) incurred in connection with: (a) any Security Incident(s), including, without limitation, the cost of reconstructing data and data forensics (including any security audits or reviews of the Company’s systems reasonably requested by DLL), the cost of Notifications and providing identity theft monitoring and resolution services (including call centers and credit monitoring services) to affected parties, fines or penalties assessed by regulators, and any reasonable outside counsel fees incurred by DLL related to such Security Incident(s) (including costs of responding to or defending any associated claims, demands, regulatory investigations, or proceedings) and (b) any and all claims, demands, or proceedings by a third party, and/or any associated costs of defense and/or financial penalties or fines imposed by supervisory or regulatory authorities, arising from allegations that, if true, would constitute any breach by the Company of these Terms, the Requirements or breach of any Applicable Laws. The Company shall not enter into any settlement without DLL’s express prior written consent that (i) assigns, imparts or imputes fault or responsibility to DLL or its affiliates, (ii) includes a consent to an injunction or similar relief or otherwise imposes any obligation binding upon DLL or its affiliates, or (iii) provides for relief other than monetary damages that the Company solely bears. The Company’s indemnification obligation under this Section, and any liability incurred by the Company thereunder, shall not be subject to any limitation of liability set forth in the Agreement or any order form, statement of work or other supplement to the Agreement or elsewhere to the contrary, including any provision limiting the types and amounts of damages.

9. Representations and Warranties

The Company represents and warrants that: (a) the Company and its Representatives accessing Confidential Information on its behalf have received the required training on the use of Confidential Information, (b) the Company and its Representatives operating on its behalf will process the Confidential Information in compliance with these Terms, the Agreement and all Applicable Laws, (c) it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Confidential Information and the accidental loss or destruction of, or damage to, Confidential Information, and ensure a level of security appropriate to: (i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage, (ii) the nature of the Confidential Information being shared; and (iii) comply with all Applicable Laws and its information and security policies as mentioned above.

Schedule A

“Applicable Laws” means all applicable international, federal, provincial and local laws and regulations relating in any way to privacy, data security and/or information governance as they may be amended, updated, supplemented, repealed or replaced from time to time with respect to any Confidential Information or PII received, collected, processed or stored by the Company.

 

“Confidential Information” in addition to any definition of Confidential Information (or such equivalent term as may be used in the Agreement) provided in the Agreement, “Confidential Information” means any information related to DLL’s (or its affiliates’) software (including source code, object code, architecture and associated data) or information relating to any current, former or prospective identified or identifiable business partner, borrower, customer, or employee, PII, loan terms, pricing policies, profit margins, non-public financial information, operating methods, marketing plans, databases, networks, systems, other technology, configurations, system accounts, user IDs, passwords, security plans, measures and settings, disaster recovery or business continuity plans and measures, and/or other business affairs.

“Data Subject” means an identified or identifiable natural person to whom the Confidential Information relates.

“PII” shall mean all personally identifying information, behavioral or demographic information, financial information, or other information, disclosed by DLL (or its affiliates), or which the Company or its Representatives acquire, access or derive in connection with the Agreement, that, either individually or when combined with other information, could be used to identify, contact or derive information specific to a particular individual, including, but not limited to, that individual’s identity, first and last name (or first initial and last name), social security number, driver’s license number, any other government-issued identifier, telephone number, credit card number, payment card data, address, e-mail address, user ID or password, account information, payroll information, financial information, health information, employee identification number, criminal or employment history, mother’s maiden name, birth date or other factors specific to that individual’s physical or financial identity. PII also includes any information that is stored or processed in association with PII.

“Security Incident” means (a) any actual or suspected unauthorized or unlawful use, modification, reproduction, removal, disclosure, loss, destruction or access of DLL’s Confidential Information, and/or (b) any occurrence that could foreseeably result in an impairment of the confidentiality, integrity or availability of DLL’s Confidential Information.

Schedule B

The Company’s information security plan must include physical, organizational, administrative and technical controls governing the following areas:

  1. network and systems security and monitoring, including appropriate selection and use of encryption software, systems and technologies;
  2. secure systems and application development, including licensing of securely developed applications;
  3. penetration testing and vulnerability assessments;
  4. asset inventory and device management;
  5. access controls and identity management, including, where feasible, the use of two-factor authentication and appropriate password policies;
  6. security awareness and training;
  7. data governance and classification, including appropriate limitations on data retention;
  8. business continuity and disaster recovery planning and resources;
  9. systems operations and availability concerns;
  10. physical security and environmental controls;
  11. customer data privacy;
  12. vendor and third-party service provider management;
  13. risk assessment; and
  14. notice and incident response procedures (“Plan”).