Laserfiche WebLink
REV: 11-22-24 MI <br />(iii) “Security Incident” means the potentially unauthorized access by non- <br />authorized persons to City Data that Provider believes could reasonably result in <br />the use, disclosure or theft of City Data within the possession or control of Provider. <br />A Security Incident may or may not turn into a Data Breach. <br />b. The Software and Services will be provided in accordance with the security <br />protocols that are set forth in the security policy of Provider, which is attached hereto as <br />Exhibit “G” (“Security Policy”). The Security Policy sets forth the minimum level of <br />encryption, intrusion detection and data protection that is provided for the SaaS Solution <br />and Provider will not make any change to the Security Policy during the terms of this <br />Agreement that would provide less rigorous protection. Notwithstanding any term of the <br />Security Policy, all City Data will be encrypted while in transit and while at rest or in storage <br />on Provider’s servers. All connections between City and Provider where Provider <br />employees or contractors have access to the City’s network or City Data while providing <br />Services will be secured using a virtual private network or similar protocol. City Data that <br />is stored by Provider will only be stored on servers, which are located in the United States <br />of America. Provider shall not allow its personnel or contractors to store City Data on <br />portable devices, including personal computers, except for devices that are used and kept <br />only at its U.S. data centers. Notwithstanding the foregoing, Provider shall permit its <br />personnel and contractors to access City Data remotely only as required to provide the <br />Services or to provide technical support. <br />c. Provider shall inform the City of any Security Incident or Data Breach in <br />accordance with the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a <br />Security Incident, which may include contacting law enforcement, fielding media <br />inquiries and seeking external expertise as mutually agreed upon, defined by law <br />or contained in this Agreement. Discussing Security Incidents with the City should <br />be handled on an urgent as-needed basis, as part of Provider communication and <br />mitigation processes as mutually agreed upon, defined by law or contained in this <br />Agreement. <br />(ii) Provider shall report a Security Incident to the appropriate City Identified <br />Contact immediately. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects <br />the security of any City Data, Provider shall (1) promptly notify the appropriate City <br />Identified Contact within twenty-four (24) hours or sooner, unless shorter time is <br />required by applicable law, and (2) take commercially reasonable measures to <br />address the Data Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the <br />City to investigate and resolve the Data Breach, (2) promptly implement necessary <br />remedial measures, if necessary, and (3) document responsive actions taken <br />related to the Data Breach, including any post-incident review of events and <br />actions taken to make changes in business practices in providing the Services, if <br />necessary. <br />(v) Unless otherwise stipulated, if a Data Breach is a direct result of Provider’s <br />breach of its contractual obligation to secure City Data in accordance with this <br />ATTY/AGR.2024.220/Kim Lundgren Associates, Inc (KLA) (Climate Dashboard) (Page 5 of 22)