Laserfiche WebLink
6.11). - Page 128 of 179 <br />4.7. Data Location. Vendor shall provide its Services to the City and its end users solely from data <br />centers in the U.S. Storage of City Data at rest shall be located solely in data centers in the <br />U.S. Vendor shall not allow its personnel or contractors to store City Data on portable devices, <br />including personal computers, except for devices that are used and kept only at its U.S. data <br />centers. Vendor shall permit its personnel and contractors to access City Data remotely only <br />as required to provide the Services or to provide technical support. Vendor may provide <br />technical user support on a 24/7 basis using a Follow the Sun model, unless otherwise <br />prohibited in this Purchase Agreement. <br />5. Security Incident or Data Breach Notification. Vendor shall inform the City of any Security Incident <br />or Data Breach: <br />5.1. Incident Response: Vendor may need to communicate with outside parties regarding a <br />Security Incident, which may include contacting law enforcement, fielding media inquiries and <br />seeking external expertise as mutually agreed upon, defined by law or contained in this <br />Purchase Agreement. Discussing Security Incidents with the City should be handled on an <br />urgent as -needed basis, as part of Vendor communication and mitigation processes as <br />mutually agreed upon, defined by law or contained in this Purchase Agreement. <br />5.2. Security Incident Reporting Requirements: Vendor shall report a Security Incident to the <br />appropriate City Identified Contact immediately. <br />5.3. Breach Reporting Requirements: If Vendor has actual knowledge of a confirmed Data Breach <br />that affects the security of any City content that is subject to applicable Data Breach <br />notification law, Vendor shall (1) promptly notify the appropriate City Identified Contact <br />within 24 hours or sooner, unless shorter time is required by applicable law, and (2) take <br />commercially reasonable measures to address the Data Breach in a timely manner. <br />5.4. Breach Responsibilities. This section only applies when a Data Breach occurs with respect to <br />Personal Data or Non -Public Data within the possession or control of Vendor. <br />• Vendor, unless stipulated otherwise, shall immediately notify the appropriate City <br />Identified Contact by telephone in accordance with the agreed upon security plan or <br />security procedures if it reasonably believes there has been a Security Incident. <br />• Vendor, unless stipulated otherwise, shall promptly notify the appropriate City Identified <br />Contact within 24 hours or sooner by telephone, unless shorter time is required by <br />applicable law, if it confirms that there is, or reasonably believes that there has been a <br />Data Breach. Vendor shall (1) cooperate with the City as reasonably requested by the City <br />to investigate and resolve the Data Breach, (2) promptly implement necessary remedial <br />measures, if necessary, and (3) document responsive actions taken related to the Data <br />Breach, including any post -incident review of events and actions taken to make changes <br />in business practices in providing the Services, if necessary. <br />• Unless otherwise stipulated, if a Data Breach is a direct result of Vendor's breach of its <br />contractual obligation to encrypt Personal Data or otherwise prevent its release, Vendor <br />O7P FORM 4000/2 <br />167 <br />