|To Contractor:
|with a copy to:
|
Attn: Chief Financial Officer
|Attn: Vice President, Legal Affairs
|
Address:
|Address:
|
Arvato Digital Services LLC
29011 Commerce Center Drive
Valencia, California 91355
|Bertelsmann, Inc.
1745 Broadway, 7th Floor
|New York, New York 10019
|
Phone: (661) 702-7623
|Phone: (212) 782-1142
|
Fax: (661) 257-1986
|Fax: (212) 782-1042
|To Intuit:
|with a copy to:
|
Attn: Luke Tapsall,
|Intuit Inc.
|To Intuit:
|with a copy to:
|
Vendor Mgr for ADS Direct Services
|
Address: Intuit Inc.
|2700 Coast Avenue
|
2632 Marine Way, M/S MPK 01-03
|Mountain View, California 94043
|
Mountain View, CA 94043
|Attn: General Counsel, Legal Dept.
|
Phone: 650-944-2082
|Phone: (650) 944-6000
|
Fax: 650-944-3033
|Fax: (650) 944-6622
|
Attn: Steve Scheid
|
Vendor Mgr for ADS Retail Services
|
Address: Intuit Inc.
|
2632 Marine Way, M/S MPK 01-03
|
Phone: 269-983-8773
|
Fax: 650-944-3033
|INTUIT INC.
|ARVATO DIGITAL SERVICES LLC
|
By:
|/s/ SCOTT BETH
|By:
|/s/ Jan Icking
|Name: Scott Beth
|Name: Jan Icking
|Title: VP, Procurement
|Title: CFO
|Date: April 4, 2008
|Date: April 7, 2008
|1.
|INTRODUCTION
|1.1.
|This Intuit Privacy Exhibit governs the manner in which specified customer-related information may be handled or processed by the 3rd Party. Intuit may impose different or additional restrictions as identified according to country of origin, transmission, or processing; type of data; or type of processing.
|2.
|DEFINITIONS
|2.1.
|“Affiliate Companies” shall mean any companies controlling, being controlled by, or under common control with another company.
|2.2.
|“Individual” shall mean, unless otherwise indicated, any natural person.
|2.3.
|“Intuit” shall mean Intuit Inc. and its Affiliate Companies.
|2.4.
|“Opt-out” shall mean the opportunity afforded to individuals to decline to have their Personal Information used for purposes other than as necessary to provide the product or service for which the Personal Information is collected.
|2.5.
|“Opt-in” shall mean the active, affirmative permission granted by individuals to have their Personal Information used for specified purposes.
|2.6.
|“3rd Party” shall mean the party entering into an agreement with Intuit, into which this Exhibit has been incorporated by reference, as well as all Affiliate Companies of said 3rd Party.
|2.7.
|“Personal Information” (“PI”) shall mean any factual or subjective information the, by itself or in combination, (i) identifies or can be used to identify, contact, or locate an individual, (ii) pertains to an individual, or (iii) is defined as personal information under applicable personal data protection laws . PI includes, but is not limited to: name, address, phone number, fax number, email address, financial profile, medical information or profile, social security number, credit card information, personal profile, age, income, credit information, unique identifier, biometric information, and IP address associated with PI, an individual. PI. For the purposes of this Exhibit, information about an individual in the business context is considered Personal Information. For example, business contact information is considered Personal Information.
|2.8.
|“Sensitive Personal Information” shall mean any information that identifies or suggests an individual’s health, trade union membership, religion or philosophy, race, ethnicity, politics, or sex life; or that could be misused in such a way as to jeopardize the financial or legal position of its owner or cause personal embarrassment. Examples of sensitive personal information include but are not limited to: social security or services number, national ID number, credit card information, bank account information, physical or mental health status, genetic information.
|3.
|3RD PARTY RESPONSIBILITIES — GENERAL
|3.1.
|Intuit maintains a compilation of internal privacy policies that govern how Intuit and its 3rd Parties handle Intuit Personal Information. These policies follow Safe Harbor principles. The 3rd Party shall apply each of these Safe Harbor principles as applicable when handling Intuit Personal Information:
|3.1.1.
|Notice — Offer clear, conspicuous notice before collection of Personal Information from any individual.
|3.1.2.
|Choice — Provide individuals choice regarding secondary uses of personal information, including but not limited to marketing-related uses; and before sharing Personal Information with other 3rd Parties not acting as agent.
|3.1.3.
|Security — Provide adequate protections against unauthorized access and exposure of Personal Information, commensurate with the sensitivity of the Personal Information.
|3.1.4.
|Data Integrity — Take reasonable steps to ensure that Personal Information is relevant, reliable for its intended use, accurate, complete, and current.
|3.1.5.
|Access — Take reasonable measures to provide individuals the ability to view, and in some cases, amend or correct, Personal Information.
|3.1.6.
|Enforcement — Provide specific mechanisms for ensuring compliance with principles, recourse, and consequences for non-compliance.
|3.2.
|Each party shall comply with this Exhibit and all applicable laws, rules and regulations relating to the collection or use of Intuit Personal Information. The 3rd Party agrees to [*] of this Exhibit [*] with access to Intuit Personal Information.
|3.3.
|The 3rd party shall document in writing Personal Information handling procedures designed to implement technical and organization measures to protect Intuit Personal Information as required by applicable laws and this Exhibit. The 3rd Party will train employees/contractors/vendors on and implement said procedures in a way that produces the same degree of care, but never less than a reasonable degree of care, to prevent the unauthorized collection, use, sharing, retention/destruction, and other inappropriate or prohibited Personal Information handling practices. These written and actual Personal Information handling procedures are subject to approval by Intuit. Any substantive deviation from said procedures must by approved by Intuit in writing.
|3.4.
|The 3rd Party shall provide access to Intuit Personal Information to only those employees, contractors, vendors or authorized agents who (i) have a need to view them in order to performance of authorized work, (ii) are trained in the proper handling of Intuit Personal Information, and (iii) are subject to an obligation to handle Intuit Personal Information in ways at least as restrictive as those practices outlined in this Exhibit. The 3rd Party and its authorized agents and vendors shall never sell, rent, or lease Intuit Personal Information to any individual or organization.
|3.5.
|The 3rd Party shall under no circumstances collect, access, use, store, destroy, reproduce, disclose, or otherwise handle or process Intuit Personal Information other than as specifically authorized by this or the agreement into which this Exhibit is incorporated. Should the 3rd Party become legally obligated to handle Intuit Personal Information other than as permitted by this Exhibit or the associated agreement, it shall, unless legally prohibited from doing so, first provide notice to Intuit.
|3.6.
|The 3rd Party shall maintain such records as are applicable to demonstrate its compliance with this Exhibit and shall permit Intuit, or a third party chosen by Intuit and reasonably acceptable to the 3rd Party, to audit 3rd Party’s records and practices relating to its obligations under this Exhibit upon reasonable notice and during regular business hours, and at Intuit’s expense, at the locations where such records and data are maintained, for purposes of verifying the 3rd Party’s compliance. Intuit shall be provided with a description of all data flows, practices and uses, and names of individuals with access to the Intuit Personal Information. All such data flows, practices, uses of Personal Information, and categories of individuals with access to that Personal Information are subject to approval by Intuit.
|3.7.
|The 3rd Party shall immediately report to Intuit any failure to treat or protect — including specifically any actual or suspected accidental exposure or unauthorized use or disclosure of — Intuit Personal Information as set forth in this Exhibitor the agreement into which it is incorporated, including any related complaints about 3rd Party’s information and collection practices, and to consult with Intuit as to correction thereof. The 3rd Party agrees that Intuit shall have the right to participate in the breach investigation, and control and direct any response and/or correction of any such breach.
|3.8.
|The 3rd Party designates the following person as its Privacy Exhibit Coordinator. This Privacy Exhibit Coordinator will (i) maintain responsibility for applying adequate protections to Intuit Personal Information, (ii) oversee application of 3rd Party compliance with Exhibit requirements, and (iii) serve as a single point of contact for internal communications and communications with Intuit pertaining to this Exhibit and compliance with or any breaches thereof.
|COMPANY: Arvato Digital Services LLC
|Designated Privacy Exhibit Coordinator:
|Title:
|Phone:
|Email:
|Mailing Address:
|3.9
|Intuit may propose Amendments of this Exhibit from time to time, with reasonable notice, as may be required by law or updated Intuit policies, and as promptly as practicable, Intuit will provide notice to the 3rd Party of any such requirements of which Intuit becomes aware. 3rd Parties not willing or able to change practices that are required by law in accordance with such Amendments may be given sixty (60) days written notice prior to the date of effectiveness of the lawful requirements of termination of the Agreement. 3rd Parties not willing or able to change practices that are required by Intuit policies in accordance with such Amendments may be given reasonable advance written notice by Intuit to comply or terminate the Agreement. Any Amendments shall be signed by both Intuit and the 3rd Party and may entail reasonable and commensurate additional costs, if applicable, for upholding the increased Privacy requirements, as required by law or by Intuit.
|4.
|3RD PARTY RESPONSIBILITIES — SPECIFIC.
|The following provisions shall not be applicable except to the extent that Intuit and the 3rd Party execute a Statement of Work requiring that the 3rd Party handles Personal Information of residents of the relevant jurisdiction listed below. The parties shall jointly determine the precise requirements applicable to Intuit and the 3rd Party as to such jurisdiction based on the Reference Laws and Requirements referred to below:
|a.
|Italy
|i.
|The 3rd Party recognizes that some Intuit personal data may pertain to residents of the Italian Republic, and may be governed by Italian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements.
|ii.
|Reference Laws and Requirements: The Italian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to:
|b.
|One or more Member States of the European Union
|i.
|The 3rd Party recognizes that some Intuit personal data may pertain to residents of one or more European Union Member States, and may be governed by European Union privacy and data protection laws. The 3rd Party recognizes that Intuit privacy policies are based around the Safe Harbor framework, a set of principles that form the basis of an “adequacy” determination that predicates legal transmission from any European Union Member State to a non-European Union country. The 3rd Party agrees to apply these Safe Harbor principles in a way that at least meets and can exceed Safe Harbor requirements.
|ii.
|Reference Laws and Requirements: The European Union legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to:
|c.
|Australia
|i.
|The 3rd Party recognizes that some Intuit personal data may pertain to residents of Australia and may be governed by Australian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements.
|ii.
|Reference Laws and Requirements: The Australian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to:
|d.
|Canada
|i.
|The 3rd Party recognizes that some Intuit personal data may pertain to residents of Canada and may be governed by Canadian privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements and abide by the Canadian Model Code for the Protection of Personal Information: accountability, purpose specification, use limitation, data quality, security safeguards, openness, and individual participation.
|ii.
|Reference Laws and Requirements: The Canadian legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to:
|e.
|United Kingdom
|i.
|The 3rd Party recognizes that some Intuit personal data may pertain to residents of the United Kingdom and may be governed by United Kingdom privacy and data protection laws. The 3rd Party agrees to review and apply, with Intuit supervision and approval, all such pertinent data protection requirements and the associated eight data protection principles.
|ii.
|Reference Laws and Requirements: The United Kingdom legal framework provides for some protections additional to those outlined previously in this document. These differences include but are not limited to:
|1.
|Fairly and lawfully processed
|2.
|Processed for limited purposes
|3.
|Adequate, relevant and not excessive
|4.
|Accurate and up to date
|5.
|Not kept for longer than is necessary
|6.
|Processed in line with individuals’ rights
|7.
|Secure
|8.
|Not transferred to other countries without adequate protection
|•
|Note that the Scottish Parliament has approved a stronger Freedom of Information Act, and that territories (Isle of Man, Bailiwick of Guernsey, and Jersey) have also approved additional data protection acts.
|•
|Secret Information: Information that is used to protect other Confidential Information. Generally, Secret Information is not disclosed to outside parties under any circumstances.
|•
|Sensitive Information: Any information that could be misused in such a way as to jeopardize the financial or legal position of its owner, or of the person or company described by the information.
|•
|Restricted Information: Information that is not secret or Sensitive, but whose permissible use has been restricted by its owner.
|a
|Personally-Identifiable Information. Information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. It includes, without limitation, the following information:
|•
|Secret Information: Customer passwords, private encryption keys, and private signature keys.
|•
|Sensitive Information: Customer account numbers, Social Security numbers, taxpayer identification numbers, account balances, account activity, financial information, medical records, legal records, and records of customer services and other data relating to the products and services offered, received, or purchased by customers of Intuit or the Company.
|•
|Restricted Information: Customer names, customer street or e-mail addresses, customer telephone numbers.
|b
|Confidential Corporate Information, consisting of any of the following:
|•
|Secret Information: Computer account IDs, passwords for computer or database systems, private encryption keys, SSL keys, computer source code relating to encryption / decryption, special access privileges, known security vulnerabilities, the results of security audits and reviews, and any information explicitly designated Secret by Intuit or by Company.
|•
|Sensitive Information: Any of the following:
|(i)
|Work Products: Work product resulting from or related to work or projects performed or to be performed for Intuit or the Company, or for customers of Intuit or the Company (including all media on which such information is contained);
|(ii)
|Business Operations: Internal Intuit or Company personnel and financial information, names and other information about Service Providers (including without limitation Service Provider characteristics, services and agreements), purchasing and internal cost information, internal services and operational manuals, and the manner and methods of conducting Intuit’s or the Company’s business;
|(iii)
|Marketing and Development Operations: Marketing and development information regarding Intuit’s or the Company’s operations (including without limitation marketing and development plans, price and cost data, price and fee amounts, pricing and billing policies, quoting procedures, marketing techniques and methods of obtaining business, forecasts and forecast assumptions and volumes, and future plans and potential strategies of Intuit or the Company which have been or are being discussed);
|(iv)
|Other Proprietary Data: Information relating to Intuit’s or the Company’s proprietary business information (including without limitation information pertaining to business transactions and financial performance) or proprietary rights prior to any public disclosure thereof, and information regarding acquiring, protecting, enforcing and licensing proprietary rights (including without limitation patents, copyrights and trade secrets).
|(v)
|Designated Information: Notwithstanding the above, any information explicitly designated as Sensitive by Intuit or by Company.
|•
|Restricted Information: Aggregated or anonymous customer information (any customer information other than Personally Identifiable Customer Information), contractual information or obligations not designated as Sensitive, and any information explicitly designated as Restricted by Intuit or by Company
|1.
|Access to Confidential Information stored on Company’s systems must not be granted to members of Company’s staff, Sub Suppliers, or other agents, unless the following conditions are met:
|a)
|The staff member, Sub Supplier, or other agent requesting the access can be uniquely identified (e.g., by a unique User ID), with the exception of “root” password access provided by the Company to its core system administration team;
|b)
|The staff member, Sub Supplier, or other agent requesting the access has entered a correct password or other authorizing token to indicate that he / she is the authorized user of this account. If passwords are the only method used for authentication, they must satisfy certain minimal standards mutually agreeable to Intuit and Company (i.e., 8 characters minimum length, required use of special- and / or mixed-case characters, no words that could be found in a dictionary, and required to be changed every 90 days) that make them sufficiently robust to effectively resist both educated guessing and brute-force attacks.
|c)
|In all cases, access permissions must be established in a manner that allows only for the minimum access level(s) required for each staff member, Sub Supplier, or other agent to perform his or her job function. The ability to read, write, modify or delete Confidential Information must be limited to those individuals who are specifically authorized to perform those data maintenance functions.
|d)
|The date, time, requestor, and nature of the access (i.e., read-only or modify) has been recorded in a log file.
|2.
|Confidential Information stored on Company’s systems must be stored behind firewalls with access to such data limited as described in the preceding requirement.
|3.
|Secret Information must never be stored in clear text on Company’s systems. At a minimum, financial services industry-standard encryption techniques must be employed to safeguard Secret Information in Company’s systems from retrieval by unauthorized persons. Company should strive to adopt best industry practices where appropriate. Whenever possible, message digest algorithms such as SHA-1 or MD5 should be used to hash and verify the user’s
|password, and “salt” should be added to the input string prior to encoding to ensure that the same password text chosen by different users will yield different encodings.
|4.
|Passwords used to control Company’s staff, Sub Suppliers, or other agents’ access to Confidential Information must at a minimum conform to the password policies described in paragraph A.1.b above. Passwords used by Company’s Customers are not required to conform to these policies; however, Company must ensure that Customers do not have access to Confidential Information other than that which pertains to them.
|5.
|Procedures must be in place to modify or revoke access permissions to Confidential Information when staff members leave the Company or when their job responsibilities change.
|6.
|Printed material that contains Confidential Information must be stored in secured areas to which access is limited to those staff members who have a business need to access it. It must also be disposed of in a secure manner. At a minimum, financial services industry-standard protections must be employed to ensure the secure storage and destruction of Secret and Sensitive Information. Whenever possible, secure disposal alternatives such as on-site shredding prior to recycling or placement in publicly-accessible trash bins with subsequent off-site shredding by a licensed Sub Supplier should be implemented.
|1.
|Unless restricted by law, Company must not electronically transmit Secret or Sensitive Information over publicly accessible networks without using 128-bit SSL or another mechanism that affords similar or greater security and confidentiality. If legal restrictions limit the use of 128-bit SSL encryption technology, Company must use the strongest encryption technology permitted.
|2.
|Confidential Information must never be passed in a URL (e.g., using a Get method) in a manner that potentially exposes the information to third parties and causes such information to appear in log files.
|1.
|To protect the accuracy and integrity of Confidential Information, all such data must be backed up regularly (no less often than weekly), and the backups stored in secure, environmentally-controlled, limited-access facilities.
|2.
|Company must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (e.g., new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
|3.
|Company must promptly install any security-related fixes identified by its hardware or software Suppliers, if the security threat being addressed by the fix is one that threatens the privacy or integrity of any Confidential Information covered by this Agreement. Such upgrades must be made as soon as they can safely be installed and integrated into Company’s existing architecture and systems.
|4.
|Intuit may, from time to time, advise Company of recent security threats that have come to its attention, and require Company to implement specific modifications to its software, policies, or procedures that may be necessary to counter these threats. Company must implement these modifications within a mutually-agreeable time, or must obtain written permission from Intuit to take some other course of action to ensure that the privacy and integrity of any Confidential Information is preserved.
|5.
|Company must immediately notify Intuit if it knows or suspects that Confidential Information has been compromised or disclosed to unauthorized persons, or if there has been any meaningful or substantial deviation from the
|requirements contained in the Agreement or this Exhibit. See Section F for contact information. Company agrees that Intuit shall have the right to control and direct any response and / or correction of any such compromise or disclosure.
|6.
|Notwithstanding the minimum standards set forth in this Exhibit, Company should monitor and periodically incorporate reasonable industry-standard security safeguards.
|1.
|Company shall not send any Secret or Sensitive Information in an e-mail message over publicly-accessible networks unless the e-mail is encrypted using a previously-approved encryption mechanism or is otherwise made secure with an approach that has been mutually agreed upon in advance by Intuit and Company.
|2.
|Company and its Sub Suppliers and agents must not reveal the Personally-Identifiable Information of one customer to any other customer or other third party, in any e-mail or other communication, except as permitted in writing by the affected person, as deemed appropriate in light of the interests of the affected person, or as otherwise required by law.
|1.
|Company agrees that Intuit shall have a right to verify Company’s compliance with this Exhibit. Upon no less than 14 days’ prior written notice to Company, Intuit (or its agent) may enter Company’s premises and inspect such of Company’s books, records, facilities and computer systems as Intuit and Company shall mutually agree is necessary to ensure that Company complies with the terms, covenants and conditions of this Exhibit. Intuit or its agent shall comply with Company’s standard policies and procedures that apply to third party companies that have access to Company’s premises, and Intuit or its agent shall access Company’s premises during normal business hours (Monday through Friday, 8:00 AM to 5:00 PM), subject to Company’s standard security and confidentiality procedures and without disruption to Company’s business. Notwithstanding the foregoing, if Intuit in good faith believes that a threat to security exists that could affect Confidential Information, Company must provide Intuit or its agent access to its premises immediately upon request by Intuit.
|2.
|Intuit may inspect or employ third parties to conduct studies of Company’s operational processes, systems, vulnerability scan results and computer network security to determine Company’s compliance with this Exhibit. Intuit agrees to coordinate the scheduling of any such study with Company to minimize disruption to Company’s business. Company agrees to cooperate with Intuit to commence such a study within thirty (30) days from Company’s receipt of written notice of Intuit’s intent to conduct, or to employ a third party reasonably acceptable to Company to conduct, such a study. At Company’s request, Intuit will require any such third party it employs to conduct such a study to sign a nondisclosure agreement pursuant to which it agrees not to disclose any Confidential Information. Intuit will make the results of any such study available to Company and, depending on the seriousness of any problems found, may require Company to remedy any and all such deficiencies in a timely fashion. Costs of such audits shall be [*], and Company shall only be responsible for [*].
|3.
|Notwithstanding any time-to-cure provision in this Agreement to the contrary, it shall be completely within Intuit’s discretion to require correction of any demonstrated security-related problem within a shorter period of time, subject to the procedures set forth in this Section E.3. Intuit shall provide written notice of the problem to Company, and Company must immediately take appropriate steps to correct the problem. If Company fails to correct any