Laserfiche WebLink
REV: 01-13-25 LR <br />(iii) “Security Incident” means the potentially unauthorized access by non-authorized <br />persons to City Date that Provider believes could reasonably result in the use, <br />disclosure or theft of City Data within the possession or control of Provider. A <br />Security Incident may or may not turn into a Data Breach. <br />b. The Software and Services will be provided in accordance with the security protocols that <br />are set forth in the security policy of Provider, which is attached hereto as Exhibit “H” <br />(“Security Policy”). The Security Policy sets forth the minimum level of encryption, <br />intrusion detection and data protection that is provided for the SaaS Solution and <br />Provider will not make any change to the Security Policy during the terms of this <br />Agreement that would provide less rigorous protection. Notwithstanding any term of the <br />Security Policy, all City Data will be encrypted while in transit and while at rest or in <br />storage on Provider’s servers. All connections between City and Provider where Provider <br />employees or contractors have access to the City’s network or City Data while providing <br />Services will be secured using a virtual private network or similar protocol. City Data <br />that is stored by Provider will only be stored on servers, which are located in the United <br />States of America. Provider shall not allow its personnel or contractors to store City Data <br />on portable devices, including personal computers, except for devices that are used and <br />kept only at its U.S. data centers. Provider shall permit its personnel and contractors to <br />access City Data remotely only as required to provide the Services or to provide technical <br />support. <br />c. Provider shall inform the City of any Security Incident or Data Breach in accordance with <br />the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a Security <br />Incident, which may include contacting law enforcement, fielding media <br />inquiries and seeking external expertise as mutually agreed upon, defined by law <br />or contained in this Agreement. Discussing Security Incidents with the City <br />should be handled on an urgent as-needed basis, as part of Provider <br />communication and mitigation processes as mutually agreed upon, defined by <br />law or contained in this Agreement. <br />(ii) Provider shall report a Security Incident to the appropriate City Identified <br />Contact immediately. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects the <br />security of any City Data, Provider shall (1) promptly notify the appropriate City <br />Identified Contact within 24 hours or sooner, unless shorter time is required by <br />applicable law, and (2) take commercially reasonable measures to address the <br />Data Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the City to <br />investigate and resolve the Data Breach, (2) promptly implement necessary <br />remedial measures, if necessary, and (3) document responsive actions taken <br />related to the Data Breach, including any post-incident review of events and <br />actions taken to make changes in business practices in providing the Services, if <br />necessary. <br />(v) Unless otherwise stipulated, if a Data Breach is a direct result of Provider’s <br />breach of its contractual obligation to secure City Data in accordance with this <br />ATTY/AGR.2025.005/Populus Technologies, INC (SaaS Agreement) (Page 5 of 34)