1. Systems. As between the Parties, each Party has and will retain sole control over the operation, provision, maintenance, and management of its respective Systems. Customer shall have sole responsibility and liability for all access to and use of the AIX Systems (whether authorized or not) by Customer or Customer Authorized Users.
1.1. Platform Data. Customer may have access to Platform Data (as defined in the Terms and Conditions) through access to the Platform and the Services or in connection with the Additional Services. Subject to and conditioned on Customer’s (and its Authorized Users’) compliance with all terms and conditions of this Addendum and the Agreement, AIX hereby grants to Customer and its Authorized Users a limited, non-exclusive, non-sublicensable, non-transferable (subject to Section 11.8 of the Terms and Conditions), fully paid up, right and license during the Term and solely in the Territory, to use, modify, and enrich the Platform Data solely for Customer’s internal business purposes as needed for Customer and its Authorized Users to (a) use the Platform and receive the benefit of the Services (solely as made available by AIX) to effectuate transactions and complete Transaction Packages in compliance with applicable Laws, (b) as needed for Customer to perform its duties or obligations under the Agreement and (c) to provide a Customer client (“Client”) information associated with the Client’s account (collectively, the “Customer Permitted Use”).
1.2 Customer Data. Except as expressly set forth to the contrary in the Agreement, Customer will be solely responsible for all Customer Data. Customer grants to AIX all rights and licenses on a non-exclusive, irrevocable, fully sublicensable, fully transferable, royalty free, and worldwide basis in and to Customer Data necessary for AIX to provide the Services and Additional Services under the Agreement (including any Customer Data obtained from authorized third parties), and as needed for AIX to exercise its rights, or perform its duties or obligations, under the Agreement.
1.3 Restoring Customer Data. During the Term, in the event of any damage, loss, destruction, or corruption of Customer Data caused by AIX’s systems or the provision of the Services or Additional Services, AIX will use commercially reasonable efforts to restore the Customer Data from AIX’s most current back-up of such Customer Data in accordance with AIX’s then-current back-up policy. This shall be AIX’s sole obligation and liability, and Customer’s sole remedy, resulting from any damage, loss, destruction, or corruption of Customer Data caused by AIX’s systems or the provision of any Services or Additional Services.
2. Restrictions on Use and Access.
2.1. Specific Restrictions. Except as expressly permitted pursuant to the Agreement or this Addendum, Customer shall not, nor shall Customer permit any person or entity to, access or use the AIX Systems or Platform Data. Without limiting the generality of the foregoing, Customer shall (and shall ensure its Authorized Users do) not, except as the Agreement or the Addendum expressly permits or to the extent the following restrictions are prohibited per applicable Law, directly or indirectly:
2.1.1. copy, modify, or create derivative works or improvements of the AIX Systems or Platform Data;
2.1.2. use the Platform Data for any purpose other than the Customer Permitted Use, unless otherwise expressly agreed to in writing by AIX;
2.1.3. rent, lease, lend, sell, sublicense, assign, distribute, publish, transfer, or otherwise make available any Platform Data, Access Credentials, or the AIX Systems to any person or entity including, without limitation, on or in connection with the internet or any time-sharing, service bureau, software as a service, cloud, or other technology or service;
2.1.4. reverse engineer, disassemble, decompile, decode, adapt, or otherwise attempt to derive or gain access to the source code or source of the Platform Data, Access Credentials provided by AIX, or the AIX Systems, in whole or in part;
2.1.5. bypass or breach any security device or protection used by the AIX Systems or access or use the AIX Systems, Access Credentials provided by AIX, or Platform Data other than as expressly authorized by AIX and only by an Authorized User through the use of his or her own then-valid Access Credentials using the functionality made available by AIX;
2.1.6. input, upload, transmit, or otherwise provide to or through the AIX Systems, any information or materials that are unlawful or injurious, or contain, transmit, or activate any Harmful Code;
2.1.7. damage, destroy, disrupt, disable, impair, interfere with, or otherwise impede or harm in any manner the AIX Systems, in whole or in part;
2.1.8. remove, delete, alter, or obscure any trademarks, warranties, or disclaimers, or any copyright, trademark, patent, or other IPR notices from any Platform Data (including any copy thereof);
2.1.9. access or use the AIX Systems in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any third party, or that violates any applicable Law;
2.1.10. access or use the AIX Systems or Platform Data for purposes of competitive analysis, the development, provision, or use of a competing software service or product or any other purpose that is to the AIX’s detriment or commercial disadvantage;
2.1.11. publish, enhance, or display any compilation or directory based upon information derived from the Platform Data; or
2.1.12. otherwise access or use the Platform Data, Access Credentials provided by AIX, or AIX Systems beyond the scope of the authorization granted by AIX under the Agreement, this Addendum, or otherwise expressly in writing.
2.2. Corrective Action. If Customer becomes aware of any actual or threatened activity prohibited by Section 2.1, Customer shall, and shall cause its Authorized Users to, promptly: (a) take all reasonable and lawful measures within their respective control that are necessary to stop the activity or threatened activity and to mitigate its effects (including, where applicable, by discontinuing and preventing any unauthorized access to the AIX Systems, Access Credentials provided by AIX and Platform Data, and permanently erasing from their systems and destroying any data to which any of them have gained unauthorized access); and (b) notify AIX of any such actual or threatened activity.
3. Data Security.
3.1. Data Security. Each Party further agrees as follows with respect to data security and data privacy:
3.1.1. Compliance with Data Security Laws. Each Party agrees to abide by any and all applicable Laws, including, but not limited to, any and all applicable Data Security Laws, and all revisions or amendments thereto (whether existing prior to the effective date or effective thereafter) concerning the use or Processing of Data. Customer will ensure its Customer Authorized Users comply with all applicable Data Security Laws, and all revisions and amendments thereto (whether existing prior to or after the Effective Date). AIX acknowledges that it alone is responsible for identifying, understanding, and complying with its obligations under the Data Security Laws as they apply to its performance of this Agreement and its possession of Personally Identifiable Information.
3.1.2. Standard of Care. Each Party shall exercise the utmost care in the collection, handling, storage, Processing, use, transmission, disclosure, importing, exporting, and/or maintenance of the other Party’s Data, and except as expressly set forth in the Agreement or this Addendum, shall hold and maintain (and cause to be held and maintained) such other Party’s Data in strict confidence. Customer shall be solely liable for the unauthorized collection of or access to or disclosure, distribution, Processing, use or transmission of Platform Data in Customer’s possession, custody or control (including, without limitation, on any Customer Systems) and/or in the possession, custody or control of any Customer Authorized Users. Other than as expressly authorized in this Addendum or the Agreement, Customer agrees that it will not share, disclose, or transmit to any third-party person or entity, or otherwise grant any third-party person or entity access to, any Platform Data that is Personally Identifiable Information unless (a) such person or entity agrees, in writing, to abide by data security obligations at least as restrictive as set forth in this Addendum and as required to be compliant with applicable Law; and (b) Customer obtains AIX’s express, written consent before doing so, which consent will not be unreasonably withheld.
3.1.3. Protection of Data. Each Party shall, at its sole expense, implement administrative, technical, and physical safeguards appropriate to such Party’s size and complexity, the nature and scope of such Party’s activities, and the sensitivity of any Personally Identifiable Information at issue, to protect the Personally Identifiable Information comprising the other Party’s Data in such first Party’s possession, custody, or control from unauthorized use, access, or disclosure, and, notwithstanding the generality of the foregoing, as needed to (a) reasonably protect the security, integrity, availability, and confidentiality of such Data in such Party’s possession, custody, or control; (b) reasonably protect against anticipated threats or hazards to the security or integrity of such Data or such first Party’s Systems; (c) reasonably protect against destruction, loss, alteration or unauthorized access to or use of such Data; (d) encrypt such Data during storage and transmission thereof (including, without limitation, when stored on laptops or mobile devices or transmitted over the internet); (e) maintain a comprehensive information security program to protect such Data from unauthorized access, use, modification, publication, theft, disclosure or transmission, (f) maintain appropriate technical and organizational measures to protect such Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure; (g) take measures to secure the transmission, storage and disposal of such Data; (h) implement authentication and access controls to ensure that such Data is made available only to persons or entities as expressly permitted pursuant to the Agreement or this Addendum and in no case transmit or make available any such Data to any entity or individual outside the continental United States; (i) take measures not to co-mingle such Data with other information or data, except as needed to provide or receive the Services or perform associated transactions or as otherwise permitted in the Agreement or this Addendum; (j) conduct risk assessments, penetration tests and vulnerability analyses and promptly implement appropriate safeguards and take appropriate measures to mitigate any risks evident from such testing or scans; (k) appropriately train employees and other personnel as to how to handle Personally Identifiable Information, the Data Security Laws and industry standards; (l) establish appropriate procedures to ensure the integrity of such Party’s Representatives; and (m) otherwise comply with applicable Laws. The administrative, technical, and physical safeguards implemented by AIX shall include those identified below, provided, however, that AIX’s failure to provide any of the below safeguards shall not in and of itself constitute a breach of this Addendum or the Terms and Conditions by AIX unless such a failure would also constitute a material breach by AIX of another term, condition, representation, or warranty of AIX under the Terms and Conditions, or this Addendum:
(a) System Security.
- AIX will use reasonable efforts to actively monitor industry-standard publications for information concerning applicable security alerts that pertain to AIX’s technical resources.
- At least quarterly, AIX will scan AIX’s core hardware, systems, and servers with industry-standard security vulnerability scanning software designed to detect security vulnerabilities, and will use reasonable efforts to remediate all critical, high, and medium risk security vulnerabilities identified.
- AIX will maintain and adhere to a documented process (which may be modified by AIX at any time in AIX’s sole discretion) reasonably designed to remediate security vulnerabilities that may be reasonably likely to impact AIX’s core hardware, systems, and servers.
- AIX will assign security administration permissions for configuring the security parameters of the Platform to only certain authorized users.
- AIX will utilize a minimum security baseline configuration for its core hardware, systems, and servers, which baseline is based upon industry- standard practices intended to reduce available ways for third parties to attack such hardware, systems, and servers.
- AIX will allow high-level system administration access only to individuals who require such access in the performance of their jobs.
- AIX will use reasonable efforts to enforce the rule of least privilege by requiring application, database, network and system administrators to restrict access by users.
(b) Physical Security.
- AIX will use reasonable efforts to restrict access to the physical facilities that contain AIX’s core hardware, systems, and servers to only authorized individuals.
- AIX will use reasonable efforts to monitor and record, for audit purposes, access to the aforementioned physical facilities.
(c) Network Security.
- AIX will implement industry-standard encryption when transferring Customer Data outside of AIX-controlled networks.
(d) Information Security.
- AIX will use logical access controls reasonably designed to protect Customer Data from unauthorized access.
- AIX will use reasonable efforts to maintain and adhere to documented processes and controls (which may be modified from time to time by AIX in its sole discretion) reasonably designed to detect and terminate unauthorized attempts to access Customer Data and/or system and application configuration files.
(e) Software and Data Integrity.
- AIX will have industry-standard antivirus software installed and running on its core hardware, systems, and servers to scan for and promptly remove or quarantine viruses and other malware detected by such software.
- AIX will maintain and adhere to a documented change control process (which may be modified from time to time by AIX in its sole discretion) including back-out procedures for all production environments.
(f) Monitoring and Auditing Controls.
- AIX will use reasonable efforts to restrict access to security logs to authorized individuals, and will use reasonable efforts to protect security logs from unauthorized modification.
- AIX will review, on no less than a weekly basis, any anomalies found in any of AIX’s security and security-related audit logs and will use reasonable efforts to document and resolve logged security problems in a timely manner.
(g) Security Breach
- AIX will maintain and adhere to a documented procedure to be followed in the event of a Security Breach of Customer Data (the “Security Breach Protocol”). In such Security Breach Protocol, AIX shall:
a. include steps to follow in order to promptly investigate and make a determination if a Security Breach has occurred;
b. include steps to notify Customer in the event of a Security Breach that comply with the obligations in Section 6.2.4 below; and
c. include steps to provide Customer with regular status updates about the actions taken to resolve such incident.
3.1.4. Security Breach Obligations. Each Party acknowledges that certain applicable Laws (including certain Data Security Laws) may include certain provisions obligating owners, processors, controllers and licensees of Personally Identifiable Information to provide notice of Security Breaches, including any unauthorized access to or use of such information, to, among others, the individuals whose Personally Identifiable Information was accessed, disclosed or used in an unauthorized manner (the “Security Breach Laws”). If a Party becomes aware of any circumstance that may trigger either Party’s obligations under the Security Breach Laws, such Party shall promptly—and no more than three (3) days after becoming aware of such circumstance—provide notice to the other Party of such circumstance and the facts surrounding same. Moreover, each Party shall provide commercially reasonable cooperation to the other Party as needed for each Party to carry out its obligations under the Security Breach Laws (if any). Notwithstanding anything else to the contrary in the Agreement or this Addendum, each Party shall bear all direct costs of notification under the Security Breach Laws and arising out of any Security Breaches for any Data in such Party’s possession, custody, or control, or to the extent any Security Breach is caused, directly, or indirectly, by the acts or omissions of such Party (or, with respect to Customer, its Customer Authorized Users) including, but not limited to, all costs associated with printing, mailing, provision of a call center, and provision of credit monitoring services in appropriate circumstances. Further, each Party shall, at its cost and expense, use its best efforts to promptly contain and mitigate the effects of any Security Breach and to prevent any reoccurrence of any Security Breach, and shall preserve all logs, documents, records and other materials relating to any Security Breach and such Party’s actions in investigating, remedying and/or mitigating same.
3.1.5. Oversight. Upon the reasonable request of a Party, the other Party shall provide to the requesting Party documentation reasonably necessary for the requesting Party to confirm that the other Party is compliant with its duties and obligations under this Addendum, which provided documentation shall constitute the Confidential Information of the providing Party. Customer agrees that AIX shall be deemed to be compliant with this Section 6.2.5 if AIX provides to Customer, upon Customer’s reasonable request (not to exceed once in any 12-month period), a summary of AIX’s SOC-2 compliance audit results.
3.1.6. GLBA Compliance and Data Subject Rights. Notwithstanding anything to the contrary in the Addendum, in no event shall Customer use or disclose Platform Data for Customer’s or any third party’s marketing purposes. Furthermore, in the event a natural person who is the subject of any Data (a “Data Subject”) requests that a Party delete, modify, provide information concerning, restrict the Processing of, or destroy such Data Subject’s Personally Identifiable Information, the Party receiving such notice shall promptly, and in any event within ten (10) days, notify the other Party of such request. The Parties shall work together in good faith to fully comply with any such requests to the extent required per applicable Data Security Laws and within any applicable deadlines.
3.2. Return or Destruction of Data. Except to the extent a Party is required to retain Data in order to comply with applicable Laws or, with respect to AIX, except to the extent AIX may retain Customer Data in order to perform its duties or obligations, or exercise its rights, under the Agreement or as needed for AIX to comply with its internal document retention policies, in which case the obligations under this Addendum, in each case, shall remain in full force and effect, each Party shall return, destroy and/or purge (and Customer shall cause its Customer Authorized Users to so return, destroy, and/or purge) the other Party’s Data (a) when such Data is no longer needed for such Party’s legitimate business or legal purposes; (b) promptly at such other Party’s request (c) as required per applicable Law; or; (d) in any event, upon termination or expiration of the Agreement. The foregoing provision shall apply to all documents, memoranda, notes and other tangible embodiments whatsoever prepared by a Party (or, with respect to Customer, its Customer Authorized Users) based on or which includes the Data of the other Party. Each Party shall certify in writing by an authorized representative that all of the other Party’s Data has been so returned, destroyed and/or purged upon the other Party’s request. Each Party shall comply with all applicable data disposal Laws in performing their duties or obligations under this Section.
3.3. Survival. The provisions in this Section 6 shall survive termination or expiration of the Agreement for any reason (a) with respect to any trade secrets comprising the Data, for so long as such trade secrets are protected as such per applicable Laws; (b) with respect to Personally Identifiable Information comprising the Data, for so long as such is protectable or protected under or as otherwise required per applicable Law; and (c) with respect to any other Data not falling within (a) or (b), for (i) a period of five (5) years from termination or expiration of this Agreement; or (ii) the longest time permitted per applicable Law, whichever is shorter.