Laserfiche WebLink
REV: 10-03-24 MI <br />Data Security. <br />e. For purposes of this Section 10, the following definitions apply: <br />(i) “Data Breach” means the unauthorized access by a non-authorized person’s that <br />results in the use, disclosure or theft of City Data. <br />(ii) “City Identified Contact” means the person or persons designated in writing by <br />the City to receive Security Incident or Data Breach notification. <br />(iii) “Security Incident” means the potentially unauthorized access by non-authorized <br />persons to City Date that Provider believes could reasonably result in the use, <br />disclosure or theft of City Data within the possession or control of Provider. A <br />Security Incident may or may not turn into a Data Breach. <br />f. The Software and Services will be provided in accordance with the security protocols that <br />are set forth in the security policy of Provider, which is attached hereto as Exhibit “F” <br />(“Security Policy”). The Security Policy sets forth the minimum level of encryption, <br />intrusion detection and data protection that is provided for the SaaS Solution and <br />Provider will not make any change to the Security Policy during the terms of this <br />Agreement that would provide less rigorous protection. Notwithstanding any term of the <br />Security Policy, all City Data will be encrypted while in transit and while at rest or in <br />storage on Provider’s servers. City Data that is stored by Provider will only be stored on <br />servers, which are located in the United States of America. Provider shall not allow its <br />personnel or contractors to store City Data on portable devices, including personal <br />computers, except for devices that are used and kept only at its U.S. data centers. <br />Provider shall permit its personnel and contractors to access City Data remotely only as <br />required to provide the Services or to provide technical support. <br />g. Provider shall inform the City of any Security Incident or Data Breach in accordance with <br />the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a Security <br />Incident, which may include contacting law enforcement, fielding media <br />inquiries and seeking external expertise as mutually agreed upon, defined by law <br />or contained in this Agreement. Discussing Security Incidents with the City <br />should be handled on an urgent as-needed basis, as part of Provider <br />communication and mitigation processes as mutually agreed upon, defined by <br />law or contained in this Agreement. <br />(ii) Provider shall report a Security Incident to the appropriate City Identified <br />Contact immediately. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects the <br />security of any City Data, Provider shall (1) promptly notify the appropriate City <br />Identified Contact within 24 hours or sooner, unless shorter time is required by <br />applicable law, and (2) take commercially reasonable measures to address the <br />Data Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the City to <br />investigate and resolve the Data Breach, (2) promptly implement necessary <br />remedial measures, if necessary, and (3) document responsive actions taken <br />related to the Data Breach, including any post-incident review of events and <br />ATTY/AGR.2024.180/Neighborly Software (Page 5 of 26)