Laserfiche WebLink
standards as referenced in FIPS 140-2, Security Requirements for Cryptographic Modules for <br />all Personal Data. <br />v. At no time shall any data or processes — that either belong to or are intended for the use of a <br />Library or its officers, agents or employees — be copied, disclosed or retained by Brainfuse or <br />any party related to Brainfuse for subsequent use in any transaction that does not include the <br />Library. <br />vi. Brainfuse shall not use any information collected in connection with the services issued from <br />this Agreement for any purpose other than fulfilling the services. <br />Section 8.3 Data Location <br />Brainfuse shall provide its services to the Library and its end users solely from data centers in the U.S. <br />Storage of Library Data at rest shall be located solely in data centers in the U.S. Brainfuse shall not allow <br />its personnel or contractors to store Library Data on portable devices, including personal computers, except <br />for devices that are used and kept only at its U.S. data centers. Brainfuse shall permit its personnel and <br />contractors to access Library Data remotely only as required to provide technical support. Brainfuse may <br />provide technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise prohibited <br />in this Agreement. <br />Section 8.4 Securitv Incident or Data Breach Notification <br />Brainfuse shall inform the Library of any Security Incident or Data Breach: <br />Incident Response: Brainfuse may need to communicate with outside parties regarding a <br />Security Incident, which may include contacting law enforcement, fielding media inquiries and <br />seeking external expertise as mutually agreed upon, defined by law or contained in this <br />Agreement. Discussing Security Incidents with the Library should be handled on an urgent as - <br />needed basis, as part of Brainfuse communication and mitigation processes as mutually agreed <br />upon, defined by law or contained in this Agreement. <br />ii. Security Incident Reporting Requirements: Brainfuse shall report a Security Incident to the <br />appropriate Library Identified Contact immediately. <br />iii. Breach Reporting Requirements: If Brainfuse has actual knowledge of a confirmed Data <br />Breach that affects the security of any Library content that is subject to applicable Data Breach <br />notification law, Brainfuse shall (1) promptly notify the appropriate Library Identified Contact <br />within 24 hours or sooner, unless shorter time is required by applicable law, and (2) take <br />commercially reasonable measures to address the Data Breach in a timely manner. <br />Section 8.5 Breach Responsibilities <br />This section only applies when a Data Breach occurs with respect to Personal Data of Non -Public Data <br />within the possession or control of Brainfuse. <br />i. Brainfuse, unless stipulated otherwise, shall immediately notify the appropriate Library <br />Identified Contact by telephone in accordance with the agreed upon security plan or security <br />procedures if it reasonably believes there has been a Security Incident. <br />ii. Brainfuse, unless stipulated otherwise, shall promptly notify the appropriate Library Identified <br />Contact within 24 hours or sooner by telephone, unless shorter time is required by applicable <br />ATTY/AGR/2017.276/BRAINFUSE, INC. <br />REV: 11-17-1715 <br />Page 4 of 7 <br />