Laserfiche WebLink
REV: 12-20-24 MI <br />(iii) “Security Incident” means the potentially unauthorized access by non- <br />authorized persons to City Date that Provider believes could reasonably result <br />in the use, disclosure or theft of City Data within the possession or control of <br />Provider. A Security Incident may or may not turn into a Data Breach. <br />b. The Software and Services will be provided in accordance with the security protocols <br />that are set forth in the security policy of Provider, which is attached hereto as Exhibit <br />“G” (“Security Policy”). The Security Policy sets forth the minimum level of encryption, <br />intrusion detection and data protection that is provided for the SaaS Solution and <br />Provider will not make any change to the Security Policy during the terms of this <br />Agreement that would provide less rigorous protection. Notwithstanding any term of <br />the Security Policy, all City Data will be encrypted while in transit and while at rest or <br />in storage on Provider’s servers. All connections between City and Provider where <br />Provider employees or contractors have access to the City’s network or City Data while <br />providing Services will be secured using a virtual private network or similar protocol. <br />City Data that is stored by Provider will only be stored on servers, which are located in <br />the United States of America. Provider shall not allow its personnel or contractors to <br />store City Data on portable devices, including personal computers, except for devices <br />that are used and kept only at its U.S. data centers. Provider shall permit its personnel <br />and contractors to access City Data remotely only as required to provide the Services <br />or to provide technical support. <br />c. Provider shall inform the City of any Security Incident or Data Breach in <br />accordance with the following protocols: <br />(i) Provider may need to communicate with outside parties regarding a Security <br />Incident, which may include contacting law enforcement, fielding media <br />inquiries and seeking external expertise as mutually agreed upon, defined by <br />law or contained in this Agreement. Discussing Security Incidents with the City <br />should be handled on an urgent as-needed basis, as part of Provider <br />communication and mitigation processes as mutually agreed upon, defined by <br />law or contained in this Agreement. <br />(ii) Provider shall promptly report a Security Incident to the appropriate City <br />Identified Contact. <br />(iii) If Provider has actual knowledge of a confirmed Data Breach that affects the <br />security of any City Data, Provider shall (1) promptly notify the appropriate City <br />Identified Contact within 24 hours or sooner, unless shorter time is required by <br />applicable law, and (2) take commercially reasonable measures to address the <br />Data Breach in a timely manner. <br />(iv) Provider shall (1) cooperate with the City as reasonably requested by the City <br />to investigate and resolve the Data Breach, (2) promptly implement necessary <br />remedial measures, if necessary, and (3) document responsive actions taken <br />related to the Data Breach, including any post- incident review of events and <br />actions taken to make changes in business practices in providing the Services, <br />if necessary. <br />ATTY/AGR.2024.239/Dropcountr, Inc. (Dropcountr) (Page 5 of 28)