DLL Supplier Privacy and Data Security Terms

Last Updated: October 16, 2023

These Privacy and Data Security Terms (the “Terms”) are by and between De Lage Landen Financial Services, Inc., and its affiliates (“DLL”) and the vendor, supplier, service provider, business partner, or other entity on whose behalf you are agreeing to these Terms (the “Company,” and with DLL, individually, a “Party”, and collectively, the “Parties”). Where any other agreements have been duly executed by DLL and the Company (collectively, the “Agreement”) in connection with which the Company receives or will receive DLL Confidential Information (as defined below) for the limited and specific business purposes set forth in the Agreement. Notwithstanding anything to the contrary in the Agreement, these Terms are subject to and hereby incorporated as a part of the Agreement. In the event of a conflict between the terms of the Agreement and these Terms, these Terms shall prevail with respect to the subject matter of the conflict. For the sake of clarity, any reference in these Terms to “industry standard”, “industry standards” or “industry best practices” means commonly accepted best practices for service providers providing technology services to regulated members of the financial industry.

In consideration of DLL’s use of Company to perform services and providing Company access to DLL’s Confidential Information, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, and intending to be legally bound, Company hereby acknowledges and agrees:

1. Compliance with Requirements and Applicable Laws. Company and its authorized employees and agents, and those authorized contractors, subcontractors, or service providers who store or process any DLL Confidential Information and/or access any DLL systems or facilities (collectively, “Representatives”) shall comply with these Terms if they have access to Confidential Information, regardless of whether any Agreement has been terminated. Company warrants and represents that it will comply with all applicable laws with respect to any Confidential Information including NPI (as defined below) received, collected, processed or stored by Company. Company shall be liable for any acts or omissions of its Representatives in breach of the Agreement or these Terms to the same extent as if it had committed such acts or omissions directly. DLL may update these Terms to include new privacy and data security requirements. Companies must monitor the “Last Updated” date above to stay informed of any updates (collectively referred to as “Requirements”). If the Company determines that it can no longer comply with any of the Requirements or any applicable laws, Company shall notify DLL of any such non-compliance immediately. If the Company fails to comply with these Terms, DLL shall have the right to terminate the Agreement or any applicable order, statement of work, or other supplement to the Agreement immediately upon notice to Company.
   
   
2. Confidential Information; Access to Systems. For purposes of these Terms, in addition to the definition, if any, of “Confidential Information” (or such equivalent term as is used in the Agreement) provided in the Agreement, the term “Confidential Information” shall mean any information related to DLL’s (or its affiliates’) software (including source code, object code, architecture, and associated data), information relating to an identified or identifiable business partner, borrower, or employee, loan terms, pricing policies, profit margins, non-public financial information, operating methods, marketing plans, databases, networks, systems, other technology, configurations, system accounts, user IDs, passwords, security plans, measures and settings, disaster recovery or business continuity plans and measures, and/or other business affairs. For the avoidance of doubt, Confidential Information includes all NPI. If Company’s Representatives are given access to DLL’s systems or facilities, such Representatives shall comply with DLL’s applicable network and facilities policies and any specified access or use restrictions. Specifically, and without limiting the foregoing, to the extent permitted by law, Company will use (a) industry standard criminal background checking procedures to ensure that no individual who has been arrested for or convicted of a felony or a crime involving fraud, theft or dishonesty may access DLL’s systems or Confidential Information, and (b) Office of Foreign Asset Control checks. Company shall limit access to DLL’s Confidential Information to those employees and service providers with a need for such access pursuant to the Agreement and who are subject to binding written confidentiality and security obligations at least as stringent as those in these Terms. Any measures to destroy or dispose of Confidential Information as required per the terms of the Agreement shall be secure and in line with industry best practices. Promptly following termination of the Agreement or any services performed for DLL, or earlier within five (5) business days following Company’s receipt of DLL’s written instructions, Company shall securely destroy DLL’s Confidential Information in accordance with this Section and provide written confirmation of the same to DLL.
   
   
3. Information Security Program.
   
   
   1. Information Security. Company warrants that it has adopted, documented, implemented, and shall adhere to a commercially reasonable written information security plan that contains technical and organizational measures appropriate to the nature of the information to protect all Confidential Information in any medium or format in Company’s custody or control against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, use, and access, and against all other unlawful activities. Company’s information security plan must include, without limitation, physical, organizational, administrative, and technical controls governing the following areas: (a) network and systems security and monitoring, including appropriate selection and use of encryption software, systems and technologies; (b) secure systems and application development, including licensing of securely developed applications; (c) penetration testing and vulnerability assessments; (d) asset inventory and device management; (e) access controls and identity management, including, where feasible, the use of multi-factor authentication and appropriate password policies; (f) security awareness and training; (g) data governance and classification, including appropriate limitations on data retention; (h) business continuity and disaster recovery planning and resources; (i) systems operations and availability concerns; (j) physical security and environmental controls; (k) customer data privacy; (l) exercising appropriate and ongoing diligence, oversight, and management with regard to any vendors and/or third-party service providers; (m) risk assessment; and (n) notice and incident response procedures (collectively, the “Plan”).
      
      
   2. Specific Information Security Requirements.
      
      
      1. If the Company performs penetration test, DLL reserves the right to receive the results of such tests. Company shall use operational, up-to-date, and reputable anti-Malware tools on any systems that have access to DLL’s networks, systems, applications, data, or Confidential Information. In the event a virus, malware, or similar item (collectively, “Malware”) is found to have been introduced into DLL’s system by or through Company, Company will, at its sole cost and expense: (a) use commercially reasonable efforts to reduce or eliminate the effects of the Malware; and (b) if the Malware causes a loss of operational efficiency or loss of data, mitigate, restore, and reimburse for such losses.
         
         
      2. If applicable to the service, Company shall make commercially reasonable efforts, where feasible, to use multi-factor authentication. Company shall utilize multi-factor authentication for any individual accessing its internal networks from an external network or any individual accessing systems that store or provide access to DLL’s Confidential Information.
         
         
      3. When DLL’s Confidential Information is (i) transmitted over public or third party networks or when being stored or transported outside of its systems or facilities, including any storage in any portable device or medium, or (ii) stored in Company’s custody or control, Company shall encrypt such Confidential Information using industry best practices for cryptographic technologies and key lengths, consistent with the then-current applicable guidance of the National Institute of Standards and Technology.
         
         
      4. When DLL’s Confidential Information is (i) transmitted over public or third party networks or when being stored or transported outside of its systems or facilities, including any storage in any portable device or medium, or (ii) stored at rest in Company’s custody or control, Company shall encrypt such Confidential Information using industry best practices for cryptographic technologies and key lengths, consistent with the then-current applicable guidance of the National Institute of Standards and Technology.
         
         
      5. All records or other information containing DLL’s Confidential Information that are in the custody or control of Company shall be kept logically separate from the records or other information stored or processed by or on behalf of Company for itself or third parties.
         
         
      6. Company shall use industry best practices to secure Confidential Information embodied in physical records and documents, including, without limitation, storage in locked file cabinets, maintenance of clean-desk policies, privilege-based physical access controls, and provision for controlled transport between secure storage and/or destruction facilities.
         
         
   3. Secure Systems and Application Development.To the extent that Company’s services under the Agreement include the creation of customization of software or code (including source and/or object code) on behalf of DLL, Company shall: (a) ensure that source code control is securely maintained consistent with commonly accepted industry standards and that Company’s source code and any third party source code or libraries utilized by Company are adequately protected against unauthorized modification; (b) follow all development standards and guidelines provided by DLL to Company from time to time; and (c) use generally accepted industry standards for secure application development, including (i) input and output validation, (ii) message authentication and validation, (iii) protection from injection flaws, cross site scripting, buffer overflows and improper error handling, (iv) appropriate use of encryption, (v) creation of appropriate logs, and (vi) use of appropriate access controls and user authorization within the application.
   
   
   
4. NPI and Personal Data Rights.
   
   
   1. “NPI” shall mean all information, disclosed by DLL (or its affiliates), or which Company or its Representatives acquire, access or derive in connection with the Agreement or the services performed for DLL, that, either individually or when combined with other information, identifies, relates to, describes, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including, but not limited to, an individual’s identity, first and last name (or first initial and last name), social security number, driver’s license number, passport number, or any other government-issued identifier, telephone number, credit card number, payment or debit card data, address, e-mail address, user ID, password or security question combined with response, or any other credentials allowing access to an account, account information, contents of mail, email, or text messages, payroll information, financial information, health information, precise geolocation information, information regarding racial or ethnic origin, religious or philosophical beliefs, or union membership, employee identification number, criminal or employment history, birth date, biometric information, genetic data, information concerning an individual’s sex life or sexual orientation, or other factors or information specific to that individual’s physical or financial identity. The types of NPI processed by Company may include (but are not limited to) NPI relating to or provided by DLL’s or its affiliates’ current, prospective or former employees, directors, owners, customers, contractors, vendors and/or website visitors. NPI is a type of Confidential Information. For the avoidance of doubt, NPI also includes all “consumer information”, all “non-public personal information”, all “non-public information”, all “personal information”, and all “sensitive personal information”, as each of those categories may be subject to regulation under any applicable laws. Company is a “processor” or “service provider,” as such terms are defined in applicable law accordingly, in processing NPI Company shall adhere to DLL’s instructions and shall only process NPI in accordance with these Terms.
      
      
   2. Company may have custody or control of NPI in which individuals have certain rights under applicable laws I (such rights, individually and collectively, “Personal Data Rights”). Personal Data Rights may include, without limitation, the right (a) to receive a copy of NPI in Company’s custody or control, and/or to request that NPI be transmitted to another entity, (b) to receive information about the use and disclosure of NPI, (c) the right to know how long NPI will be retained, and/or (d) to require that certain actions be taken with respect to NPI, including deleting, correcting, accessing, or receiving a copy of NPI in a portable format and prohibiting or limiting certain uses or disclosures of NPI. If Company receives a Personal Data Rights request from an individual, Company shall immediately notify DLL (email sufficing) of such request. Company shall, at its own expense, assist DLL in fulfilling any Personal Data Rights requests with respect to NPI in the custody or control of Company, in conducting any assessments of the impact of processing activities on privacy or data protection, in protecting the security of NPI, in responding to a governmental request or investigation concerning such NPI, and/or otherwise in complying with applicable law to such NPI. Company shall, at DLL’s request, cooperate to delete, or enable DLL to delete, and shall notify any of its own service providers or contractors to delete NPI collected, used, process or retained by the Company, its services providers, or contractors. Company shall notify any sub-processors or third parties who may have access to DLL’s NPI from or through the Company to delete the consumer’s NPI unless this proves impossible or involves disproportionate effort. Company shall not (i) “sell” or “share” NPI unless contemplated by this Agreement, as those terms are defined by applicable law) (ii) sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic means, any Confidential Information (including, but not limited to, any NPI) to any third-party for monetary or other valuable consideration, (iii) retain, disclose, use or otherwise process any Confidential Information for any purpose (including any commercial purpose) other than the specific purpose of performing the services specified in the Agreement or otherwise agreed by the Parties in writing, (iv) combine NPI with other information that Company receives from or on behalf of any other person or entity, and/or NPI collected by the Company itself, except solely as necessary for Company to provide its services to DLL and/or as may be otherwise expressly authorized in writing by DLL, and/or (v) retain, use, or disclose any Confidential Information outside of the direct business relationship between Company and DLL.


5. Third Party Sub-Processing; International Transfers. Company will not, except with DLL’s prior written consent, allow (i) a third party access to DLL’s Confidential Information (except for Company’s affiliates and service providers which have a “need to know” in connection with the services contemplated by the Agreement and are legally bound to restrictions at least as stringent as those in these Terms and (if applicable) the Agreement), (ii) a third party sub-processor to process NPI without DLL’s prior written consent (email sufficing); or (iii) Confidential Information to be accessed, stored or used outside of the United States. If DLL permits its Confidential Information to be accessed from a location outside of the United States, Company agrees to use technology that prevents saving or printing of remotely accessed Confidential Information. Company shall impose same level of privacy protection substantially the same as these Terms, on its Representatives that have access to DLL’s Confidential Information.
   
   
6. Security Incidents. “Security Incident” means (a) any actual unauthorized or unlawful use, modification, reproduction, removal, disclosure, loss, destruction, or access of DLL’s Confidential Information, and/or (b) any occurrence that could foreseeably result in an impairment of the confidentiality, integrity, or availability of DLL’s Confidential Information. If Company discovers or is notified of any Security Incident, which shall include any security event requiring notification to individuals or regulators under applicable law. Company will notify DLL no later than twenty-four (24) hours after becoming aware of the Security Incident. Notice of a Security Incident shall be made to DLL’s Chief Legal Officer by (i) standard overnight courier delivery to 1111 Old Eagle School Road, Wayne, PA 19087, (ii) email at Legal-Notices@dllgroup.com, and (iii) phone at 610-386-5000. Company shall: (i) investigate and preserve all records and other evidence related to the Security Incident and take all appropriate actions to remediate the effects of the Security Incident and mitigate any risks that may arise from the Security Incident, (ii) provide DLL with a written report on the outcome of its investigation including any risk to Confidential Information, the corrective actions it will take, or has taken, and such other information as DLL may reasonably request as soon as is reasonable, but no later than seven (7) calendar days following the Security Incident, (iii) when reasonably requested, Company shall grant DLL access to key relevant internal stakeholder and external advisors involved by the Company in the investigations and/or remediation of the Security Incident and (iv) provide DLL with assurances reasonably satisfactory to DLL that such Security Incident shall not recur. Company shall cooperate in good faith with DLL in the handling of any Security Incident, including (without limitation) assisting DLL to notify affected individuals and governmental agencies. DLL may disclose the occurrence of a Security Incident involving its Confidential Information as required by law in DLL’s sole discretion. Company shall not notify a third party about a Security Incident without DLL’s prior written consent, except as required by Applicable Law, and DLL shall have the right to control the contents of any such communication to the extent it involves DLL’s Confidential Information, except when prohibited by applicable law. DLL, at its discretion, upon notice to Company, should have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of NPI. Company agrees to reimburse DLL for all reasonable out-of-pocket costs and losses incurred in connection with a Security Incident, including, without limitation, costs associated with (i) investigating, remediating, and mitigating the effects of the Security Incident, (ii) providing notifications and assisting affected individuals, and (iii) legal and regulatory inquiries and proceedings, including fines, penalties, and reasonable attorneys’ fees (all such costs, collectively, the “Security Incident-Related Costs”). Compliance with obligations under this section shall not mandate that DLL shall continue to do business under the Agreement if it determines in its reasonable business judgment that the Company has not taken appropriate steps to remediate such Security Incident. Each Party shall be responsible for having any advisors or consultants execute an appropriate confidentiality agreement acceptable to the Company prior to participating in any investigations or remediation discussions.
   
   
7. Miscellaneous
   
   
   1. PCI DSS Compliance. To the extent that the services provided by Company include initiating, storing, or processing credit card transactions, Company warrants and covenants that it will keep on file a current “Report on Compliance” (as such term is defined by the PCI DSS), evidencing that Company is in compliance with the PCI DSS. In addition to the foregoing, Company warrants and covenants that Company complies with and adheres to and will, at all times during which it stores, processes or transmits any cardholder information (as such term is defined by the PCI DSS) (“Cardholder Information”), comply with and adhere to the PCI DSS in effect. These requirements are applicable to all infrastructure and systems processing or storing any Cardholder Information. Any change in Company’s PCI DSS compliance status shall be promptly communicated to DLL.
      
      
   2. NACHA Compliance. To the extent that the services provided by Company include the initiation, processing, and storage of automated clearing house (“ACH”) entries, Company will comply with the NACHA Operating Rules and Guidelines (the "NACHA Rules") applicable to persons providing ACH-related services like the services, as in effect.
      
      
   3. HIPAA. To the extent that Company collects or receives from DLL or on its behalf any information that constitutes “protected health information” within the meaning of the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act adopted as part of the American Recovery and Reinvestment Act of 2009, and/or any associated regulations (collectively, “HIPAA”), the use, disclosure, and treatment of such information shall be subject to a Business Associate Agreement entered into between the Parties (the “BAA”) in accordance with HIPAA. In the event of any conflict between these Terms and the terms of the BAA, the terms of the BAA shall prevail with respect to protected health information, unless these Terms provide for a greater level of confidentiality, integrity, availability, and security for protected health information.
      
      
   4. DLL Due Diligence and Compliance Reviews.DLL has the right to take reasonable and appropriate steps to help ensure that the Company uses the NPI transferred by DLL in a manner consistent with DLL’s obligations under the applicable laws. As periodically requested by DLL, Company shall, at its own cost and expense, promptly complete DLL’s Supplier Questionnaire and other documents or requests for information regarding Company’s privacy and data security practices (collectively, “Due Diligence”). Company represents and warrants that all information provided to DLL in response to Due Diligence shall be accurate and complete in all respects. Additionally, DLL and its representatives and regulators may review any relevant books, records, third party audits and policies, and may request additional information, including by on site audit, relating to Company’s and its representatives’ (including service providers’ and other subcontractors’) compliance with these Terms. When conducted by DLL or its representatives, (i) such audit shall be conducted with at least fifteen (15) days prior written notice; and (ii) the audit shall be conducted at Company’s place of business, during Company’s normal business hours and without unreasonably interrupting Company’s business operations. In addition, upon DLL’s request, Company shall furnish DLL with copies of any SSAE18 SOC-2, Type I or II audit report and/or any other audit report evaluating the compliance of Company’s Plan or data controls with generally recognized industry standards and best practices.
      
      
   5. Indemnification.In addition to any indemnification obligations of Company to DLL under the Agreement, Company shall indemnify and hold harmless DLL, its affiliates, and its and their respective employees, officers, directors, shareholders, managers, members, and agents, for all out-of-pocket costs, damages, losses, judgments, settlements, and expenses (including, but not limited to, reasonable attorneys’ fees) incurred in connection with: (a) any Security Incident(s), including, without limitation, any Security Incident-Related Costs, and (b) any and all claims, demands, or proceedings by a third party, and/or any associated costs of defense and/or financial penalties or fines imposed by supervisory or regulatory authorities, arising from allegations that, if true, would constitute any breach by Company of these Terms, or breach of any applicable laws. Company shall not enter into any settlement without DLL’s express prior written consent that (i) assigns, imparts or imputes fault or responsibility to DLL or its affiliates, (ii) includes a consent to an injunction or similar relief or otherwise imposes any obligation binding upon DLL or its affiliates, or (iii) provides for relief other than monetary damages that Company solely bears. Company’s indemnification obligation under this Section, and any liability incurred by Company thereunder, shall not be subject to any limitation of liability set forth in the Agreement.
      
      
   6. Insurance. In addition to any insurance obligations of Company under the Agreement, Company shall maintain (and require and ensure that its subcontractors maintain at either their expense or Company’s) during the term of the Agreement, and thereafter for the duration of all applicable statutes of limitation, privacy and network security (sometimes otherwise known as cybersecurity or cyber liability) insurance, with protection against liability for systems attacks and liability arising from the loss or disclosure of Confidential Information. The insurance (including the policy limits) shall be sufficient to cover the types of expenses and liabilities that are subject to indemnification and reimbursement under these Terms.  The policy for insurance coverage required by this Section shall (a) contain no exclusion or restriction for unencrypted portable devices or media and no insured vs. insured exclusion which would apply to DLL, and (b) be placed with an insurer reasonably acceptable to DLL, having a Best’s rating of no less than “A-”. Company shall provide a certificate upon DLL’s request evidencing such insurance and providing thirty (30) days prior written notice to DLL in the event of cancellation or reduction of any policy for such coverage.