Exhibit 4.a(8)
Agreement No. 53258.A.013
CERTAIN IDENTIFIED INFORMATION HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (I) NOT MATERIAL AND (II) IS THE TYPE THAT THE REGISTRANT TREATS AS PRIVATE OR CONFIDENTIAL
Amendment 13
To
Agreement No. 53258.C
between
AT&T Services, Inc.
and
Amdocs Development Limited
Agreement No. 53258.A.013
AMENDMENT NO.13
TO
AGREEMENT NO. 53258.C
This Amendment No. 13, effective as of the last date signed by a Party (“A13 Effective Date”) and amending the Restated and Amended Master Services and Software License Agreement Number 53258.C, is by and between Amdocs Development Limited, a Cyprus corporation (hereinafter referred to as “Supplier” or “Amdocs”), and AT&T Services, Inc., a Delaware corporation (hereinafter referred to as “AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties.”
WITNESSETH
WHEREAS, Supplier and AT&T are parties to the Restated and Amended Master Services Agreement No.53258.C entered into on/with the effective date of February 28, 2017 (as previously restated and amended, the “Agreement”); and
WHEREAS, Supplier and AT&T now desire to amend the Agreement as hereinafter set forth.
NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:
1.
Section 1.3 Term of Agreement is revised to change the Expiration Date from October 15, 2025, to December 31, 2029.
2.
A new Subsection 3.5.f shall be added as follows:
g.
Supplier certifies that it will comply with the provisions set forth in Appendix O – Consumer Privacy and Data Protection as attached hereto for all subordinate agreements (e.g., Order, SOW) executed after the A13 Effective Date where reasonably applicable based on the scope of Services in each such subordinate agreement. For such subordinate agreements Consumer Privacy and Data Protection compliance shall be based on the applicable Laws in place as of the effective date of each subordinate agreement.
Amdocs shall have the right to include reasonable fees (whether expressly called out or bundled with other fees) to deliver the Consumer Privacy and Data Protection services scope under Appendix O within a subordinate agreement at the time of its execution. If a subsequent change in appliable Consumer Privacy and Data Protection Laws materially impacts Supplier’s cost to provide the Services under such subordinate agreement(s), the contractually applicable change management process may be utilized to evaluate the need for incremental fees.
3.
The following sentence, contained in subsection “a.” of Section 4.2 Background Check/Drug Screening, shall be deleted in its entirety.
“For Supplier Persons based in India the Background Checks must be completed within [***] of the start of performance of any Service.”
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
2
Agreement No. 53258.A.013
4.
The following language shall be added to subsection “a.” of Section 4.2 Background Check/Drug Screening.
Urgent Supplier Personnel Deployment Requirement. When the Parties agree that there is an immediate need to add new Supplier and/or Supplier Subcontractor resources which have not been subject to a Supplier background check and only where such new resources are directly transitioning to Supplier from AT&T or AT&T’s then-current designated third party supplier as part of a transition of Work (“Transitional Personnel”), then Supplier is hereby authorized to use such Transitional Personnel in Supplier’s provision of Work to AT&T for up to [***] while Supplier performs its own background check of such Transitional Personnel. If it is determined that such Transitional Personnel do not satisfy Supplier’s background check requirements, Supplier will take appropriate action regarding the use of such Transitional Personnel in provision of Work to AT&T.
5.
A new Section 4.15 Supplier Information and Offshore Requirements is hereby added to the Agreement as follows:
4.15 Supplier Information and Offshore Requirements
Supplier shall comply with the AT&T's Security and Offshore Requirements as set forth in Appendix D – Security and Offshore Requirements, attached hereto. These terms include AT&T Offshore Supplier Information Security Requirements (SISR).
6.
A new Section 4.16 Retention and Secure Destruction of AT&T Records is added as follows and shall apply only to applicable (as detailed in this Section 4.16) new subordinate agreements (e.g., Order, SOW) executed after the A13 Effective Date:
4.16 Retention and Secure Destruction of AT&T Records
This Retention and Secure Destruction of AT&T Records clause and companion Certificate of Destruction (COD) Appendix are required to comply with applicable AT&T Security Policy and Requirements whenever the Supplier meets both of the following criteria:
1.
Under a specific subordinate agreement (e.g., Order, SOW, Supplement, etc.), Supplier will have access to, use, store, or process any AT&T Proprietary Information (e.g., simple system logs, AT&T Derived Information), AT&T employee information, Customer Information, SPI, PII, CPNI, or other types of AT&T sensitive information; and
2.
Under such specific subordinate agreement (e.g., Order, SOW, Supplement, etc.), Supplier will be required to store/retain/create information evidencing AT&T’s activities, transactions, and business decisions that
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
3
Agreement No. 53258.A.013
a.
Supplier is being paid by AT&T to store/retain/create (e.g., to perform analytics); or
b.
AT&T does not store/retain/create for itself.
Where applicable based on the criteria above, the subordinate agreement (e.g., Order, SOW, Supplement, etc.) shall: (i) by default, incorporate by reference this clause which sets forth specific definitions and retention obligations, (ii) explicitly include a “Table - Retention Period(s) for Record(s)” completed by Supplier and the AT&T BU client responsible for allowing access, collection, and storage of the records listed in that table, (iii) include fees for such work in the subordinate agreement price (whether expressly called out or bundled with other fees), and (iv) incorporates by reference the Appendix – Certificate of Destruction (COD) as attached hereto. The AT&T BU client will work with their RIM Coordinator to provide the applicable record types and retention periods for the table, to which the Supplier shall adhere.
If particular Information/record types or obligations are not listed in the Table - Retention Period(s) for Record(s) but are listed elsewhere in this Agreement or the applicable subordinate agreement (e.g., with respect to international Privacy, e.g., GDPR, LGPD, NZPA, or National US state, CPRA) or in the event of a “Legal Hold”, then the language and retention obligations set forth elsewhere in this Agreement or the applicable subordinate agreement will control with respect to such requirements.
i.
“Record” means recorded information, regardless of physical form or characteristics (e.g., paper, analog, digital, optical, and electronic), evidencing AT&T’s activities, transactions, and business decisions.
ii.
“Retention Period” means the period during which Records must be maintained because they may be needed for AT&T’s operational, legal, fiscal, historical, or other purposes. Unless a more stringent retention period is stated elsewhere in this Agreement, which retention period will control, the retention period for each Record is the period stated in the subordinate agreement in accordance with the AT&T Records and Information Management (RIM) Policy and Records Retention Schedule
iii.
“Certificate of Destruction” or “COD” is a formal document containing detailed information about the destruction of Records that ensures that the secure destruction procedure used renders materials incapable of reconstruction by any reasonable procedure, and complies with all relevant Laws.
b.
Supplier Obligations Regarding Retention of AT&T Records.
i.
Supplier may create or collect on AT&T’s behalf, or receive from AT&T or a third party, AT&T Records in connection with this Agreement. Supplier
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
4
Agreement No. 53258.A.013
represents and warrants that Supplier will retain the Records in accordance with the RIM Policy and Records Retention Schedule detailed in each applicable subordinate agreement. Notwithstanding the foregoing, upon AT&T’s written request, Supplier must promptly destroy the requested AT&T Records in Supplier’s possession, if any, at any time during any Retention Period.
ii.
Supplier is permitted to access and retain copies of the Records only for the Retention Period during which Supplier requires the Records to fulfill its obligations under this Agreement or the applicable subordinate agreement, but shall not retain the Records any longer than the Retention Period(s) set in the applicable subordinate agreement in accordance with the AT&T Records and Information Management (RIM) Policy and Records Retention Schedule .
iii.
Supplier’s Contact authorized to address Retention and Secure Destruction of AT&T Records is [***]. In the event Supplier changes its contact information, Supplier must notify AT&T at [***] within [***] of such change.
iv.
AT&T reserves the right to notify Supplier in writing regarding any changes to extension of the Retention Period for Records (an “Extension”) subject to lawsuits, regulatory proceedings, government enforcement investigations, audits, subpoenas, and similar proceedings. Upon receiving such notice, Supplier shall retain and avoid the alteration of the specified Records and suspend all scheduled destruction until AT&T notifies Supplier in writing that the Extension has expired. Supplier must promptly provide such Records to AT&T upon request by AT&T.
v.
Supplier must use the COD form, medium, and a process acceptable to AT&T (e.g., a COD PDF with macros as may be provided by AT&T), which may be changed by AT&T in its sole discretion upon [***] written notice to Supplier, which shall not materially increase the burden on Supplier without Supplier’s prior consent, which shall not be unreasonably withheld, which notices and changes, if any, notwithstanding anything to the contrary in this Agreement, will not require an amendment to this Agreement.
c.
Supplier Obligations Regarding Destruction of AT&T Records. Except for Supplier’s obligations to comply with any more stringent Information retention timelines and/or destruction of AT&T records requirements set forth elsewhere in this Agreement or the applicable subordinate agreement, which more stringent requirements will control, promptly upon AT&T’s written request and no later than the timelines specified in the applicable Retention Period for AT&T Records, Supplier must (i) notify AT&T at [***] that such Retention Period(s) is/are concluding and, unless otherwise directed by AT&T; (ii) securely destroy (i.e., rendering materials incapable of reconstruction by any reasonable procedure) the AT&T Records at the end of such Retention Period, at no additional cost beyond the costs detailed in the subordinate agreement; (iii) following the destruction of AT&T Records and/or any copies thereof, provide to AT&T at [***] a COD that identifies the securely destroyed Records; (iv) include, at a minimum, in each COD all data elements as listed in the Supplier COD Minimum Requirements (below),
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
5
Agreement No. 53258.A.013
substantially in the form of Appendix X – Certificate of Destruction, attached hereto; and (v) provide same to AT&T at [***] within [***] of when the destruction is complete. With respect to each COD provided to AT&T, Supplier certifies that the data elements listed in subsection d., below, have been securely and irretrievably destroyed rendering the Records incapable of reconstruction, including records in any form (e.g., paper, analog, digital, optical, and electronic, and data contained on electronic media, including devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and office equipment) and no back up or additional copies were retained.
d.
Supplier Certificate of Destruction (COD) Minimum Requirements.
A Certificate of Destruction (COD) from Supplier must include at a minimum, the following data elements:
•
Supplier Business Contact Name
•
AT&T Business Contact Name
•
Method of destruction (clear purge, damage, destruct)
•
Verification/Validation method date and method
•
Signature or Credentials attesting to Certification of Destruction
Notwithstanding the above, with AT&T’s prior written consent, which shall not be unreasonably withheld, Supplier may use a data destruction process that may include documentation demonstrating compliance with data deletion and retention policies, such as confirmation of data deletion and adherence to industry standard guidelines. This documentation may, where agreed, be in the form of a report or certificate that outlines the secure deletion methods used, including cryptographic erasure or other approved techniques.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
6
Agreement No. 53258.A.013
e.
The Retention Periods for AT&T Records will be agreed by the Parties in the specific subordinate agreement and may include the examples of Retention Periods as set forth in the table below.
Table - Retention Period(s) for Record(s)
|
|
|
Official Record Type –
|
Official Retention Period
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
|
[***]
7.
The terms and conditions of this Amendment No. 13 shall become effective, where applicable, on August 1, 2025.
Original signatures transmitted and received via facsimile or other electronic transmission of a scanned document, (e.g., .pdf or similar format) are true and valid signatures for all purposes hereunder and shall bind the Parties to the same extent as that of an original signature. This Amendment may be executed in multiple counterparts, each of which shall be deemed to constitute an original but all of which together shall constitute only one document.
|
|
|
|
|
|
IN WITNESS WHEREOF, the Parties have caused this Amendment to Agreement No. 53258.C to be executed, as of the date the last Party signs.
|
|
Amdocs Development Limited
|
|
AT&T Services, Inc.
|
|
By:
|
/s/ Aviv Sneh
|
|
By:
|
/s/ Steve Wehde
|
|
Name:
|
Aviv Sneh
|
|
Name:
|
Steve Wehde
|
|
Title:
|
Authorized Signatory
|
|
Title:
|
Principal Technical Sourcing Management
|
|
Date:
|
June 18, 2025
|
|
Date:
|
June 16, 2025
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
7
Agreement No. 53258.A.013
Appendix O – Consumer Privacy and Data Protection
The provisions in this Appendix O – Consumer Privacy and Data Protection are applicable to the Processing of Personal Information that is subject to Data Protection Laws. To the extent that there is a conflict between the terms and conditions elsewhere in this Agreement and those in this Appendix O – Consumer Privacy and Data Protection, the latter shall control.
In addition to the definitions in the Agreement, the following definitions shall apply:
1)
“Data Protection Laws” includes all United States federal, state, local, and territorial Laws of any type enacted by governmental authorities related to consumer or individual privacy and data protection and that apply to Services under this Agreement, regardless of where Supplier is located or the location from which Services may be performed, including international locations.
2)
“Personal Information” has the meaning provided under the Data Protection Laws, including sensitive personal information. Without limiting the definition under the applicable Data Protection Laws, personal information generally means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual or household (where applicable) and is provided, disclosed, or made available to, shared with, or collected or accessed by Supplier for use or processing for a specific business purpose in connection with the Services. Individuals whose data is encompassed by this definition may include, but are not limited to, customers, potential customers, employees, and independent contractors of AT&T. Personal Information also includes AT&T “Customer Information” as defined in the Agreement.
3)
“Processing” has the meaning provided under the Data Protection Laws, and generally means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means.
II.
Scope of Personal Information
Supplier agrees to act as a service provider of AT&T and to treat all Personal Information it processes on behalf of AT&T in accordance with the terms herein and the Agreement, whether provided by AT&T to Supplier or accessed or collected by Supplier on AT&T’s behalf. Personal Information processed in connection with the Services provided under this Agreement shall be solely as described in Exhibit 1 to this Appendix O and the applicable Statements of Work, Orders, or other descriptions of deliverables, including the categories of Personal Information being processed, the nature and purpose of Processing, the duration of Processing, and the specific business purpose(s) for which Supplier may access, use, or process Personal Information.
1)
Supplier shall not sell, rent, lease, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means any Personal Information to another person, business, or third party for monetary or other valuable
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
8
Agreement No. 53258.A.013
consideration. This prohibition includes combining or updating Personal Information received from or on behalf of AT&T with Personal Information that Supplier received from another source unless expressly permitted by applicable Data Protection Laws.
2)
Supplier shall not retain, use, or disclose Personal Information: (i) to any person, business, or third party other than AT&T, (ii) for any purpose, including any commercial purpose, or (iii) outside of the business relationship between Supplier and AT&T, all except to perform Services for AT&T in accordance with this Agreement, or except to the extent that disclosure is required by Law.
3)
Supplier shall, in performing its duties under this Agreement, abide by all obligations set forth in Data Protection Laws and not use or disclose any Personal Information in violation of any restrictions in Data Protection Laws.
4)
Supplier’s obligations under the Agreement that pertain to AT&T Customer Information also apply to Personal Information as defined under this Appendix. If there is a conflict between or among provisions, the most consumer protective provision that also complies with the terms of this Appendix will control.
IV.
Individual Rights Requests
1)
Requests for Data Access (Right to Know)
a) If Supplier collects Personal Information on behalf of AT&T under this Agreement, AT&T reserves the right to require Supplier to provide to AT&T all of the Personal Information collected, at any time, in AT&T’s sole discretion (a “Data Access Request”).
b) Data Access Requests will be provided to Supplier in writing and will identify individual(s) or household(s) whose information Supplier shall provide to AT&T.
c) Supplier will have [***] to comply with a Data Access Request by providing the information requested to AT&T.
d) Supplier shall maintain complete and accurate records relating to its compliance with each Data Access Request. AT&T and its auditors will have the right to review Supplier’s compliance with any Data Access Request (“Data Access Audit”). The audit provisions of the Agreement apply to Data Access Audits; provided, however, that such audits may occur whenever required in connection with Data Protection Laws.
e) For a Data Access Audit, Supplier shall provide AT&T access at reasonable times to the records relating to Data Access Requests; systems used to access information identified in the requests; and employees and contractors who facilitated compliance with Data Access Requests.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
9
Agreement No. 53258.A.013
2)
Requests for Data Deletion/Correction/Limitation
a) AT&T reserves the right to require Supplier to delete or correct all Personal Information associated with an individual or household at any time, in AT&T’s sole discretion (a “Data Deletion/Correction Request”).
b) AT&T reserves the right to limit the use of sensitive personal information (as defined under applicable Data Protection Laws) associated with an individual or household at any time, in AT&T’s sole discretion (a “Data Limitation Request”).
c) Data Deletion/Correction/Limitation Requests (collectively, “Data Remediation Requests”) will be provided to Supplier in writing and will identify individual(s) or household(s) whose information shall be deleted, corrected, or limited.
d) Supplier will have [***] to comply with and confirm completion of a Data Remediation Request by (a) deleting, correcting, or limiting the data identified and (b) providing written confirmation to AT&T. If Supplier is required by Law to retain information that is subject to a specific request or determines it must retain information to provide the Services specified in this Agreement, it will so advise AT&T in writing within [***] and AT&T will provide further direction.
e) Supplier shall maintain complete and accurate records relating to its compliance with each Data Remediation Request (which records shall not include data that was required to be deleted). AT&T and its auditors have the right to review Supplier’s compliance with any Data Remediation Request (“Data Remediation Audit”). The audit provisions of the Agreement shall apply to Data Remediation Audits; provided, however, that such audits may occur whenever required in connection with Data Protection Laws.
f) For a Data Remediation Audit, Supplier shall provide AT&T access at reasonable times to the records relating to Data Remediation Requests; systems used to delete, correct, or limit information identified in the requests; and employees and contractors who facilitated compliance with Data Remediation Requests.
While all provisions of the Agreement apply to this Appendix O – Consumer Privacy And Data Protection, Supplier expressly agrees that the provisions regarding confidentiality of information, the return or destruction of information, security of data and information (including “data breach” and “breach notification” obligations), and applicable audit rights related to information and records maintained by Supplier shall also apply to Supplier’s obligations in connection with Personal Information, including without limitation the following:
1) Supplier agrees that it is obligated to protect all Personal Information with appropriate technical and organizational security practices and procedures at least as stringent as those set forth in the data and information security provisions of the Agreement and as required by Data Protection Laws.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
10
Agreement No. 53258.A.013
2) Supplier agrees that AT&T has the right to take reasonable and appropriate steps to ensure that Supplier is using the Personal Information consistent with the Agreement and applicable Data Protection Laws, including auditing Supplier’s operations as appropriate (in accordance with and subject to the applicable audit provisions and terms set forth in Section 3.31 of the Agreement).
3) After execution of this Agreement, in the event Supplier determines it is unable to meet the obligations of applicable Data Protection Laws or this Appendix, it shall notify AT&T within [***] of such determination by written Notice in accordance with the Agreement and permit AT&T to take prompt action reasonable and appropriate to ensure compliance and to protect Personal Information from unauthorized use or disclosure. Supplier’s notification will not diminish Supplier’s obligations or limit or waive AT&T’s rights under the Agreement.
4) In the event that AT&T determines that Supplier is not using Personal Information in accordance with the obligations of this Appendix or Data Protection Laws, upon notice, AT&T may take reasonable steps to stop any further use of Personal Information until the situation is remediated to AT&T’s reasonable satisfaction.
5) Supplier agrees not to engage any Subcontractors to perform any of the functions it performs on behalf of AT&T except upon prior written notice to AT&T and as otherwise permitted under the Agreement, including requiring any Subcontractor(s) to be bound by a written agreement with Supplier that requires comparable compliance with the obligation in this Appendix O – Consumer Privacy And Data Protection and the applicable Data Protection Law, as applicable for the Services to be rendered by such Subcontractors. Supplier remains fully responsible for its Subcontractors’ compliance with this Appendix O – Consumer Privacy And Data Protection.
6) Throughout the term of the Agreement, Supplier shall make available, upon written request, all information reasonably necessary to demonstrate its compliance with applicable Data Protection Law and the terms of this Appendix O – Consumer Privacy And Data Protection.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
11
Agreement No. 53258.A.013
EXHIBIT 1
DETAILS OF SUPPLIER PROCESSING
The below describes the Processing of Personal Information under this Agreement.
AT&T Company or Affiliate: AT&T Services, Inc.
Supplier: Amdocs Development Limited
II.
Subject Matter of Processing Personal Information
Supplier Processes Personal Information in relation to the provision of Services specified under this Agreement, including any applicable Statements of Work, Orders, or other descriptions of deliverables.
III.
Business Purposes for Processing Personal Information
In addition to the specific purposes of providing the Services described in the Agreement, including applicable Statements of Work, Orders, or other Descriptions of Deliverables, Personal Information will be Processed for the following general Business Purposes (insert “Y” or “N” for each):
[N] Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with applicable requirements and other standards.
[Y] Helping to ensure security and integrity to the extent the use of the individual’s personal information is reasonably necessary and proportionate for these purposes.
[Y] Debugging to identify and repair errors that impair existing intended functionality.
[N] Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of an individual’s current interaction with AT&T, or Supplier on AT&T’s behalf, provided that the individual’s personal information is not disclosed to another third party and is not used to build a profile about the individual or otherwise alter the individual’s experience outside of the current interaction with AT&T and/or Supplier.
[Y] Performing services on behalf of AT&T, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of AT&T.
[N] Providing advertising and marketing services to individuals, except for cross-context behavioral advertising (i.e., targeting advertising to an individual based on personal information obtained from a source other than that collected from a current interaction with an individual), provided that, for the purpose of advertising and marketing, Supplier shall not combine the personal information of individuals for whom Supplier has actual knowledge that an individual has elected by any means to opt-out of such use of their personal
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
12
Agreement No. 53258.A.013
information with other personal information that Supplier receives from, or on behalf of, another person or third party or collects from its own interaction with an individual, or individuals.
[N] Undertaking internal research for technological development and demonstration.
[N] Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by AT&T, and to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by AT&T.
[N] Use or collection of employment-related information to provide employment-related services, including for the purpose of administering employment benefits or related programs.
[N] Performing other business or operational functions in support of the Services (please specify): __________________________________________________________________
IV.
Categories of Personal Information
The following categories of Personal Information are processed under this Agreement (insert “Y” or “N” for each):
[Y] Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
[N] Characteristics of protected classifications under Data Protections Laws.
[Y] Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
[N] Biometric information.
[N] Data that identifies a device from which (or to which) electronic communications are sent (or received), which data may include Internet Protocol (IP) address, Media Access Control (MAC) address, International Mobile Equipment Identity (IMEI) number, International Mobile Subscriber Identity (IMSI) number, serial number, and unique device identifier (UDID) (“Device Identification Data”).
[N] Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding an individual’s interaction with an internet website application or advertisement.
[Y] Non-precise Geolocation data.
[N] Audio, electronic, visual, thermal, olfactory, or similar information.
[N] Professional or employment-related information, including but not limited to AT&T information.
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
13
Agreement No. 53258.A.013
[N] Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
[N] Inferences drawn from any of the information identified in this subdivision to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
[Y] Sensitive personal information (select categories in next section).
[Y] Other categories of Personal Information not specified above (general description): Telephone Number, Billing Account Number, Designated Market Area code
V.
Categories of Sensitive Personal Information
The following categories of Sensitive Personal Information (including Personal Information that reveals any of the following) are processed under this Agreement (insert “Y” or “N” for each):
[Y] An individual’s social security, driver’s license, state identification card, or passport number.
[Y] An individual’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
[N] An individual’s precise geolocation information.
[N] An individual’s racial or ethnic origin, religious or philosophical beliefs, or union membership.
[N] The contents of an individual’s mail, email, and text messages.
[N] An individual’s genetic data.
[N] Processing of biometric information for the purpose of uniquely identifying an individual.
[N] Personal information collected and analyzed concerning an individual’s health.
[N] Personal information collected and analyzed concerning an individual’s sex life or sexual orientation.
[N] An individual’s political opinions or associations.
[N] An individual’s religious or philosophical beliefs.
[N] An individual’s criminal record.
[Y] Other categories of Sensitive Personal Information not specified above (general description):
Tax ID, Date Of Birth
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
14
Agreement No. 53258.A.013
VI.
Categories of Individuals whose Personal Information is Processed
The Personal Information processed by Supplier relates to the following categories of Individuals (insert “Y” or “N” for each):
[N] AT&T’s or its Affiliates’ employees/representatives (incl. independent contractors).
[Y] AT&T’s or its Affiliates’ customers or potential customers, including customer affiliates and its employees/representatives (incl. independent contractors).
[N] Employees/representatives of AT&T’s suppliers (other than Supplier), their subcontractors of any tier, and/or their affiliates.
[ ] Other (please specify):___________________________________________________
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
15
Agreement No. 53258.A.013
APPENDIX
Certificate of Destruction
SAMPLE CERTIFICATE OF DESTRUCTION
[Information populated below are examples only]
Supplier Name- [Supplier Name]
Contract Number- [434122]
Supplier Business Contact Name- [Jim Lee]
AT&T Business Contact Name- [Jennifer Jones, Construction & Engineering, Manager]
Method of Destruction: [Delete/Erase]
Media Type: [e.g., paper, analog, digital, optical, and electronic, and data contained on electronic media, including devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, and office equipment]
Media Source: [Austin Data Center]
Description of Data/Records: [AT&T Customer Personal Information including Name, Address, and phone number.]
iTap or MOTS ID Number:* [MOTS/iTap ID]
RIM Code*: [RIM Code]
*If provided by AT&T
Record Creation Date or Date Range: [1/1/2009-3/1/2009]
Record Destruction Date: [5/1/2023]
[Round up to EOM date for expiration]
Verification Method: [Random Sample]
Verified by: [Lisa Rodriguez]
Verification Date: [5/5/2023]
By my signature below, I certify that to the best of my knowledge and belief that the data/records referred to in this Certificate of Destruction have been securely destroyed per AT&T’s retention requirements rendering the data/records incapable of reconstruction and no back up or additional copies were retained.
|
|
|
Signature:
|
|
Printed Name:
|
|
Title:
|
Supplier Contact Information
[Supplier Name]
[Supplier Street Address]
[Supplier Contact Number]
Proprietary and Confidential
This Agreement and information contained therein is not for use or disclosure outside of AT&T, its Affiliates, and third party representatives, and Supplier except under written agreement by the contracting parties.
16