|
|
Exhibit 4.a(7)
Agreement No. 53258.A.012
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) IS THE TYPE THAT THE REGISTRANT TREATS AS PRIVATE OR CONFIDENTIAL
Amendment 12
To
Agreement No. 53258.C
between
AT&T Services, Inc.
and
Amdocs Development Limited
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
1
Agreement No. 53258.A.012
AMENDMENT NO.12
TO
AGREEMENT NO. 53258.C
This Amendment No. 12, effective as of the last date signed by a Party (“Effective Date”) and amending Restated and Amended Master Services and Software License Agreement Number 53258.C, is by and between Amdocs Development Limited, a Cyprus corporation (hereinafter referred to as “Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (hereinafter referred to as “AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties.”
WITNESSETH
WHEREAS, Supplier and AT&T are parties to the Master Services Agreement No.53258.C entered into on/with the effective date of on February 28, 2017 (as previously restated and amended, the “Agreement”); and
WHEREAS, Supplier and AT&T now desire to amend the Agreement as hereinafter set forth.
NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:
1.0. Introduction
The following AT&T Supplier Information Security Requirements (“Security Requirements”) apply to Supplier Entities’ Information Resources used when performing any action, activity, or work under this Agreement where any of the following occur (hereinafter referred to as “In-Scope Work”):
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
2
Agreement No. 53258.A.012
These Security Requirements do not (i) apply to commercial off the shelf products or materials acquired from a Supplier Entity unless Supplier performs In-Scope Work, or (ii) limit more stringent obligations, if any, such as privacy or security patching as set forth elsewhere in the Agreement.
2.0. Security Domain
Supplier Entity must:
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
3
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
4
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
5
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
6
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
7
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
8
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
9
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
10
Agreement No. 53258.A.012
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
11
Agreement No. 53258.A.012
3.0. Definitions
Capitalized terms used within these Security Requirements but not defined herein shall have the meaning set forth in the Agreement.
“Administrative User” means a user with super user or elevated/enhanced security rights and permission for configuring, controlling, installing, or managing Information Resources, regardless of the types of devices and environments managed, including within any Supplier Entity’s facilities, such as within Cloud Service Provider (CSP) cloud environments.
“Cloud Service” means a service delivered via an “as a Service” cloud service model (e.g., Software as a Service (SaaS), Storage as a Service (STaaS), Database as a Service (DBaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)).
“Cloud Service Provider” or “CSP” means a Supplier Entity providing cloud-based computing services.
“Cybersecurity” means the protection of Information Resources and In-Scope Information from attacks, data theft, breaches, unauthorized access, social engineering, credential sharing, and other similar security threats.
“Demilitarized Zone” or “DMZ” means a physical or logical network or sub-network that separates an internal network from an outside network, such as the public Internet.
“In-Scope Information” means AT&T’s confidential and proprietary data, including AT&T Customer Information, which Supplier Entities collect, process, store, handle, or access in any manner while fulfilling their obligations under this Agreement, irrespective of the format and means of transmission.
“Information Resource(s)” means systems, applications, websites, networks, network elements, and other computing and information storage devices, along with the underlying technologies and delivery methods (e.g., social networks, mobile technologies, laptop computers, Portable Devices, Cloud Services, data analytics, call and voice/video recording, and Application Program Interfaces (APIs)).
“Multi-Factor Authentication” (also known as “MFA,” “Two-Factor Authentication,” and “Strong Authentication”) means the use of at least two of the following three types of authentication factors:
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
12
Agreement No. 53258.A.012
“Portable Devices” means media and systems, with the exception of laptop computers, capable of being easily carried, moved, transported, or conveyed that are used in connection with In-Scope Work. Examples of such devices include tablets, USB hard drives, USB memory sticks, Personal Digital Assistants (PDAs), and mobile phones (e.g., smartphones).
“Security Gateway” means a set of control mechanisms between two or more networks having different trust levels which filter and log traffic passing, or attempting to pass, between networks, and the associated administrative and management servers. Examples include firewalls, firewall management servers, hop boxes, session border controllers, proxy servers, and intrusion prevention devices.
“SCD” or “Sensitive Customer Data” means customer data that has been assessed as requiring a higher level of protection. SCD refers to the data elements listed in the Table 2 - AT&T SCD Data Elements located at the end of these Security Requirements. All data elements in Table 2 are considered In-Scope Information.
“SPI” or “Sensitive Personal Information” means private, personal information that, if compromised or exposed, could present a risk to individuals and would legally require AT&T to disclose the exposure. SPI refers to the data elements listed in the Table 1 - AT&T SPI Data Elements located at the end of these Security Requirements. All data elements in Table 1 are considered In-Scope Information.
“Service Account” means a UserID used for installing, executing, or administering an application or system. Service Accounts manage the local events/processes of an application or system.
“Strong Cryptography” means the use of cryptography based on industry-tested, accepted, and uncompromised algorithms and proper key management practices which incorporate a documented policy for the management of the encryption keys, and associated processes adequate to protect the confidentiality and privacy of the keys and credentials used as inputs to the cryptographic algorithm.
“Strong Encryption” means the use of encryption technologies based upon Strong Cryptography.
“Supplier Entity” or “Supplier Entities” means the Supplier, its affiliates, and their respective Subcontractors (including Cloud Service Providers).
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
13
Agreement No. 53258.A.012
4.0. Table 1 - AT&T SPI Data Elements
Data elements in the following tables must be treated as SPI when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.
|
Data Element
|
Description
|
Government Issued Identification Number
|
Includes:
1.
Driver’s License Number
2.
Taxpayer Identification Number - In an individual’s name. Excludes those in a company name.
3.
U.S. Social Security Number
4.
National/State/Region issued identity number
5.
Government Identity Card
6.
Government identifiers for professionals
7.
Government-sponsored health or food plan identifier
8.
Passport Number
9.
Alien Registration Number
10.
Birth Certificate Number
11.
Other government issued identification number
Excludes:
1.
Customer Application Identification Number (Application ID), and
2.
Representative Accountability Database (RAD) ID, and
3.
Any such numbers that are issued on the understanding that they must be a matter of public record, e.g., U.S. FCC Radio License.
|
Date of Birth (DOB)
|
An individual’s full and complete date of birth (DOB), i.e., including month, day, and year. Excludes partial DOB.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
14
Agreement No. 53258.A.012
|
Data Element
|
Description
|
Payment Card Number
|
Primary Account Number (PAN) for all types of payment cards. Includes:
1.
AT&T corporate payment card number
2.
Consumer payment card number
|
Payment Card Security Data
|
The security data used in association with a payment card (corporate, personal, etc.) to confirm legitimate use. Includes:
1.
Card Security Codes (CSC)
2.
Personal Identification Numbers (PINs) used with payment cards but excludes PINs used to authenticate access to AT&T systems (see “Customer Authentication Credentials” data element).
|
Financial Institution Account Number
|
Includes: All types of financial institution accounts (savings, checking, investments, pensions, etc.) both personal and business in an individual’s name.
Excludes: Bank routing number.
|
Data Element
|
Description
|
Biometric Data
|
Measures of human physical and behavioral characteristics used for authentication purposes, for example DNA, fingerprint, voiceprint, retina, or iris image.
Includes: Full biometric data.
Excludes:
1.
Templates (e.g., “vector” equivalents) that contain discrete data points derived from biometric data (i.e., templates that do not hold the complete biometric image, where the template cannot be reverse engineered back to the original biometric image), and genetic test information.
2.
Signature.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
15
Agreement No. 53258.A.012
|
Customer Authentication Credentials
Applies to Customers only
|
Values used by customers to authenticate and permit access to:
1.
The customer’s personal information, including Customer Proprietary Network Information (CPNI) and AT&T Proprietary Information (SPI)
— or —
2.
An application enabling the customer to subscribe to, or unsubscribe from, AT&T services
— or —
3.
An AT&T service to which the customer is subscribed
Includes:
1.
Personal Identification Numbers (PINs), passwords, and passcodes
2.
Templates (e.g., “vector” equivalents) of biometrics, photographs, or signatures
Excludes:
1.
Card Security Codes (CSCs) and PINs used in association with payment cards.
2.
Full biometrics
3.
Full photograph
4.
Full signature
|
Customer Authentication Credential Hints
Applies to Customers only
|
Answers to questions used to retrieve customer authentication credentials.
|
Work Vehicle Location
|
Information that identifies the current or past location of an AT&T work vehicle that is directly associated with a personal identifier for an AT&T Employee or Non-Payroll Worker (NPW) which allows for Location-Based Information tracking of such individual. The work vehicle’s location (e.g., a map address, or latitude and longitude together with altitude where known) may be determined because it is a connected vehicle or has some other Satellite Navigation (SatNav) capable device assigned to that vehicle, or by some other means such as network connectivity.
|
Location-Based Information (LBI)
|
Information that identifies the current or past location of a specific individual’s mobile device.
A mobile device’s location (e.g., a map address, or latitude and longitude together with altitude where known) derived from the mobile device through activities such as GPS or network connectivity rather than as a result of user action (e.g., revealing location in the content of an email or SMS).
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
16
Agreement No. 53258.A.012
|
Data Element
|
Description
|
Criminal History
|
Information about an individual’s criminal history, e.g., criminal check portion of a background check.
|
Background Checks
|
Third party (non-AT&T) checks including credit history, employment history, and driving records. Excludes criminal history (see Criminal History).
|
Racial or Ethnic Origin
Subject to non-U.S. Jurisdiction*
|
Data specifying and/or confirming an individual’s racial or ethnic origin.
|
Trade Union Membership
Subject to non-U.S. Jurisdiction*
|
Data specifying and/or confirming that an individual is a member of a trade union.
|
Information Related to an Individual’s Political Affiliation or Religious Belief
|
Data specifying and/or confirming an individual’s political affiliation or religious or similar beliefs.
|
Information Related to an Individual’s Sexual Orientation
Subject to non-U.S. Jurisdiction*
|
Data specifying and/or confirming an individual’s sexual life or orientation.
|
Data Element
|
Description
|
U.S. Protected Health Information (PHI)
|
Includes:
1.
Any U.S. health information used in AT&T’s Group Health Care plans or belonging to AT&T’s customers that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individuals that includes information about:
•
The individual’s past, present, or future physical or mental health or condition;
•
The provision of health care to the individual;
— or —
•
The past, present, or future payment for the provision of health care to the individual.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
17
Agreement No. 53258.A.012
|
|
2.
Health information of retirees, employees, or employee beneficiaries used by AT&T for purposes other than a group health plan is not PHI. For medical and health information not related to AT&T’s Group Health Care plans, see "Medical and Health Information."
|
Medical and Health Information
|
Any information concerning physical or mental health conditions or disabilities. Includes:
1.
Medical record number
2.
Health plan beneficiary number
3.
Medical device identifiers and serial numbers
4.
Prescription (Rx) number
5.
Health insurance identification or account number
6.
Medical treatment – Information about the management and care of a patient or the combating of disease or disorder.
7.
Medical diagnosis
8.
Medical history
9.
Medical payment information
10.
Medical claims data
11.
Medical images and metadata
12.
Drugs, therapies, or medical products or equipment used
13.
Family health or morbidity history - an account of all medical events and problems experienced by members of the individual’s family
14.
Other medical and health information
|
Genetic Information
|
Includes: Information about an individual’s genetic tests.
Excludes: Full DNA (see Biometric Data).
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
18
Agreement No. 53258.A.012
|
Data Element
|
Description
|
Customer Web Browsing and Search History
|
Includes:
1.
Information about what searches AT&T customers perform
2.
Web sites AT&T customers visit
3.
Web pages AT&T customers view
4.
Applications AT&T customers use on an AT&T Network (wireline and wireless including Wi-Fi)
Excludes:
1.
Searching, browsing, and activities associated with customers’ use of official AT&T corporate web sites (e.g., any web sites that resolve directly to, or redirect to, *att.com, *cricketwireless.com).
Note: Exclusion from this row does not preclude potential pre-classification in another data element (e.g., customer viewing history).
2.
History captured at the network level prior to processing (e.g., raw data streams not associated with a customer).
|
Customer Viewing History
|
Information about programs watched or recorded, games and applications used, etc.
|
Customer Web Communications Payload - AT&T Use
|
When captured as part of service analysis, e.g., Deep Packet Inspection (DPI) data.
*Footnotes:
Where a data element has the term “Subject to non-U.S. jurisdiction” associated with it, that data element is to be classified as AT&T Proprietary (SPI) when applied to data elements subject to the non-U.S. jurisdiction, irrespective of whether the data is created, handled, processed, destroyed, or sanitized inside or outside of the United States.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
19
Agreement No. 53258.A.012
5.0. Table 2 - AT&T SCD Data Elements
Data elements in the following table must be treated as SCD when used in their entirety, unless explicitly stated otherwise. This applies to all data formats including scanned images, screen captures and recordings, PDFs, JPGs and any other unified communication, and collaboration tools/content.
|
Data Element
|
Description
|
Customer “messaging” content
|
Includes: Email, text messages, conference call recordings, and voice mail call recordings.
Excludes: “Messaging” between customers and AT&T.
|
Customer Telemetry Data
Customer Use
|
Automated communications for monitoring by the customer (rather than AT&T). Including all data that is generated by AT&T’s customers’ use of the Digital Life® service or any other Internet of Things (IOT) service that is used by the customer to monitor or control the service. For example, video files.
Table 3.24.g
|
|
Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)
|
Cities where services will be performed for AT&T
|
Services to be performed at approved Physical Location
|
Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
20
Agreement No. 53258.A.012
|
|
Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)
|
Cities where services will be performed for AT&T
|
Services to be performed at approved Physical Location
|
Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Development, Testing, Operations Support
|
Amdocs
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
21
Agreement No. 53258.A.012
|
|
Countries where services are authorized by AT&T to be performed (physical location address is also required if the Services involve Information Technology-related work or if a “virtual” or “work-from-home” address is authorized)
|
Cities where services will be performed for AT&T
|
Services to be performed at approved Physical Location
|
Name of Supplier / Supplier Affiliate, and/or Subcontractor performing the services
|
[***]
|
[***]
|
[***]
|
Monitoring & Alerting, Security and Compliance Support, Infrastructure and Stability Support, Program Status & Governance, Development, Testing, Operations Support
|
Amdocs
|
[***]
|
[***]
|
[***]
|
Solution Design Creation: process description, APIs description, deployment diagrams, Development, Testing, Operations Support
|
Amdocs
Original signatures transmitted and received via facsimile or other electronic transmission of a scanned document, (e.g., .pdf or similar format) are true and valid signatures for all purposes hereunder and shall bind the Parties to the same extent as that of an original signature. This Amendment may be executed in multiple counterparts, each of which shall be deemed to constitute an original but all of which together shall constitute only one document.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
22
Agreement No. 53258.A.012
IN WITNESS WHEREOF, the Parties have caused this Amendment to Agreement No. 53258.C to be executed, as of the date the last Party signs.
|
Amdocs Development Limited
|
|
AT&T Services, Inc.
|
|
|
|
|
|
|
|
By:
|
|
|
|
By:
|
|
|
|
|
|
|
|
|
|
Name:
|
|
|
|
Name:
|
|
Steve Wehde
|
|
|
|
|
|
|
|
Title:
|
|
|
|
Title:
|
|
Principal Technical Sourcing Management
|
|
|
|
|
|
|
|
Date:
|
|
|
|
Date:
|
|
3/28/2024
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
23