Laserfiche WebLink
Agreement for TruePoint Services City of Redwood City <br />6.2 Data Protection. Protection of personal privacy and data shall be an integral part of the <br />business activities of Consultant to ensure there is no inappropriate or unauthorized use of <br />Customer Data at any time. To this end, Consultant shall safeguard the confidentiality, <br />integrity, and availability of Customer Data and comply with the following conditions: <br />6.2.1 Consultant shall implement and maintain appropriate administrative, technical and <br />organizational security measures to safeguard against unauthorized access, disclosure <br />or theft of Customer Data. Such security measures shall be in accordance with <br />recognized industry practice and not less stringent than the measures Consultant <br />applies to its own Customer Data of similar kind. <br />6.2.2 All data obtained by Consultant in the performance of this Agreement shall become <br />and remain the property of the City. <br />6.2.3 All Customer Data shall be encrypted at rest and in transit with controlled access. <br />Unless otherwise stipulated, Consultant is responsible for encryption of Customer <br />Data. <br />6.2.4 For data at rest, Consultant shall ensure hard drive encryption consistent with <br />validated cryptography standards as referenced in FIPS 140-2, Security Requirements <br />for Cryptographic Modules for all Customer Data. <br />6.2.5 At no time shall any data or processes — that either belong to or are intended for the <br />use of the City or its officers, agents or employees —be copied, disclosed or retained <br />by Consultant or any party related to Consultant for subsequent use in any transaction <br />that does not include the City. <br />6.2.6 Consultant shall not use any information collected in connection with the Services <br />issued from this Agreement for any purpose other than fulfilling the Services. <br />6.3 Data Location. Consultant shall provide its Services to the City and its end users solely from <br />data centers in the U.S. Storage of City Data at rest shall be located solely in data centers in the <br />U.S. Consultant shall not allow its personnel to store City Data on portable devices, including <br />personal computers, except for devices that are used and kept only at its U.S. data centers. <br />6.4 Security Incident or Data Breach Notification. Consultant shall inform the City of any Security <br />Incident or Data Breach: <br />6.4.1 Incident Response: Consultant may need to communicate with outside parties <br />regarding a Security Incident, which may include contacting law enforcement, fielding <br />media inquiries and seeking external expertise as mutually agreed upon, defined by <br />law or contained in this Agreement. Discussing Security Incidents with the City should <br />be handled on an urgent as -needed basis, as part of communication and mitigation <br />processes as mutually agreed upon, defined by law or contained in this Agreement. <br />6.4.2 Security Incident Reporting Requirements: Consultant shall report a Security Incident <br />to the Contract Officer immediately. <br />6.4.3 Breach Reporting Requirements: If Consultant has actual knowledge of a confirmed <br />Data Breach that affects the security of any City content that is subject to applicable <br />Data Breach notification law, Consultant shall (1) promptly notify the Contract Officer <br />within 24 hours or sooner, unless shorter time is required by applicable law, and (2) <br />take commercially reasonable measures to address the Data Breach in a timely <br />manner. <br />REV: 04-23-19 PR <br />Page 5 of 64 <br />ATTY/AGR.2019.106/TruePoint TrueBill Utility Billing System <br />