Laserfiche WebLink
REV: 12-16-24 MI <br />(iii) “Security Incident” means the potentially unauthorized access by non- <br />authorized persons to City Date that Provider believes could reasonably result in <br />the use, disclosure or theft of City Data within the possession or control of <br />Provider. A Security Incident may or may not turn into a Data Breach. <br />b. The Software and Services will be provided in accordance with the security protocols that <br />are set forth in the security policy of Provider, which is attached hereto as Exhibit “F” <br />(“Security Policy”). The Security Policy sets forth the minimum level of encryption, <br />intrusion detection and data protection that is provided for the SaaS Solution and Provider <br />will not make any change to the Security Policy during the terms of this Agreement that <br />would provide less rigorous protection. Notwithstanding any term of the Security Policy, <br />all City Data will be encrypted while in transit and while at rest or in storage on Provider’s <br />servers. All connections between City and Provider where Provider employees or <br />contractors have access to the City’s network or City Data while providing Services will be <br />secured using a virtual private network or similar protocol. City Data that is stored by <br />Provider will only be stored on servers, which are located in the United States of America. <br />Provider shall not allow its personnel or contractors to store City Data on portable devices, <br />including personal computers, except for devices that are used and kept only at its U.S. data <br />centers. Provider shall permit its personnel and contractors to access City Data remotely <br />only as required to provide the Services or to provide technical support. <br />c. Provider shall inform the City of any Security Incident or Data Breach in accordance with <br />the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a <br />Security Incident, which may include contacting law enforcement, fielding media <br />inquiries and seeking external expertise as mutually agreed upon, defined by law <br />or contained in this Agreement. Discussing Security Incidents with the City <br />should be handled on an urgent as-needed basis, as part of Provider <br />communication and mitigation processes as mutually agreed upon, defined by <br />law or contained in this Agreement. <br />(ii) Provider shall report a Security Incident to the appropriate City Identified <br />Contact immediately. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects <br />the security of any City Data, Provider shall (1) promptly notify the appropriate <br />City Identified Contact within 24 hours or sooner, unless shorter time is required <br />by applicable law, and (2) take commercially reasonable measures to address the <br />Data Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the <br />City to investigate and resolve the Data Breach, (2) promptly implement <br />necessary remedial measures, if necessary, and (3) document responsive actions <br />taken related to the Data Breach, including any post-incident review of events <br />and actions taken to make changes in business practices in providing the Services, <br />if necessary. <br />(v) Unless otherwise stipulated, if a Data Breach is a direct result of <br />Provider’s breach of its contractual obligation to secure City Data in accordance <br />with this Agreement and the Security Policy or otherwise prevent its release, <br />ATTY/AGR.2024.237/Granicus (Agenda Management System) (Page 5 of 35)