Door shall provide the Services in accordance with the terms and conditions regarding data security set forth herein, as well as in accordance with all applicable laws relating to data privacy and security. Door shall also cooperate and use best efforts to comply with any requests or instructions issued by any governmental or regulatory authority in respect of Customer Confidential Information and personally identifiable information within the Customer Data (collectively, the “Protected Data”). Door shall provide to Customer a summary copy of Door’s written information security program and plan upon request and will continue to supply Customer with material updates to this program and plan.
Door will establish and maintain appropriate electronic, physical and organizational security procedures, measures and controls to guard against the destruction, loss, unauthorized access or disclosure, usage or alteration of Protected Data in the possession of Door, that are no less rigorous than those maintained by Door for its own information of a similar nature. Door shall use commercially reasonable efforts designed to ensure that Protected Data will be accessible by only the individuals involved in the provision, development, production and support of the Services; and (iii) any inadvertent disclosure or discovered potential risk of unauthorized access will be communicated promptly to Customer to the extent permitted by law. Door agrees to not sell, provide, distribute, or make available Protected Data to any third party, with the exception of law enforcement or regulatory authorities upon requirements. Protected Data will not be used for any purpose outside of the scope of this Agreement. Door agrees to hold all Customer data and Confidential Information exclusively in the United States of America.
Door has implemented and maintains information security practices designed to meet the following objectives:
Upon discovery, Door agrees to notify Customer of any unauthorized disclosure, access to, or misuse of Protected Data (“Breach”) and confirm receipt by Customer as soon as possible, but in no event shall such notification and confirmed receipt by the Customer by later than 24 hours following discovery of the Breach. Unless Door has used secure communication channels, such notification shall not contain any Protected Data. Notwithstanding the foregoing, Door may delay notification of a Breach if a law enforcement agency determines that such notification will impede a criminal investigation; such notification will then occur promptly after the law enforcement agency determines that it will not compromise the investigation.
Notification to Customer of a Breach is to be made by phone and electronically via email. Neither party may delay or interfere with any required notification of clients, consumers, regulatory agencies, or law enforcement of such a discovered or suspected incident, except as explicitly requested by involved law enforcement agencies.
Notification shall include the nature of the information lost or disclosed, how the loss or disclosure happened, the identity of all customers or consumers potentially affected, the status of any internal or regulatory or law enforcement investigation, and any actions taken or required by either party to stop or limit any significant harm or inconvenience to the Customer or any affected customers or consumers. Each party shall remain responsible for notification of its own customers, regulators, and law enforcement agencies of any such discovered or suspected Breaches required by laws applicable to such party and this Agreement.
Except in connection with providing the Services, Door will not access Customer’s data, computing systems and/or networks without Customer’s express authorization and any such actual or attempted access shall be in accordance with the written authorization provided by Customer. Under no circumstances shall Door personnel or contractors operate any electrical or mechanical device controlling any part of the equipment of any Customer facility except with the explicit permission of an authorized Customer representative. Unless authorized by Customer in advance and in writing, Door and its employees shall not load or use any software products or materials within Customer’s systems or environments. Door shall take all necessary steps to ensure that its personnel comply with this provision, and that, to the extent any personnel has access to Customer’s systems or environments, all of its employees are instructed to conform to Customer’s reasonable requirement.
All Door employees, independent contractors, and sub-contractors providing Services to Customer or with access to the premises, records or data of Customer shall have been screened by Door and subjected to detailed pre-employment background checks (including federal, state and county of residence criminal background checks). Door shall not knowingly permit any Door employee or contractor to have access to the premises, records or data of Customer when such person has been convicted of a crime in connection with a dishonest act or a breach of trust, as set forth in Section 19 of the Federal Deposit Insurance Act, 12 U.S.C. 1829(a).