poprivacy.omc.com

Privacy and Information Security Addendum

This Privacy and Information Security Addendum (“Addendum”) sets forth the terms and conditions relating to the privacy, security

and protection of Personal Information (as defined below) associated with goods or materials provided or services rendered by Vendor to

Agency pursuant to the Purchase Order (the “PO”) between Vendor and Agency. Capitalized terms used, but not defined, in this Addendum

shall have the meanings given in the PO.

WHEREAS, Agency and/or Client or their employees, agents, consultants or contractors may provide Vendor with access to Personal

Information in connection with the PO; and

WHEREAS, Agency and Client require that Vendor preserve and maintain the privacy, confidentiality, security and protection of such

Personal Information.

1. NOW, THEREFORE, in consideration of Agency entering into the PO with Vendor, Agency and Vendor agree

as follows:

I. Definitions.

(A) “Agency” means the entity designated as “Agency” in the PO or , if no such entity is so designated , the purchasing

entity in the PO.

(B) “Client” means the entity designated as “Client” in the PO or , if no such entity is so designated , the client of Agency

which will receive the benefit of the goods, materials, or services purchased under the PO.

(C) “Data Controller ” means the entity that determines the purposes and means of the processing of Personal

Information.

(D) “Data Processor” means any person or entity that Processes Personal Information on behalf of a Data Controller.

(E) “Data Subject” means an identified or identifiable natural person to which the Personal Information pertains.

(F) “European Data Protection Laws” means all applicable European Union (“EU”), European Economic Area (“EEA”)

the United Kingdom, or Switzerland and other national laws and regulations relating to the privacy, confidentiality, security or protection

of Personal Information, including, without limitation: the EU General Data Protection Regulation 2016/679 (“ GDPR”) and laws or

regulations implementing or supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time,

and laws or regulations implementing or supplementing the e-Privacy Directive, including laws regulating the use of cookies, other tracking

mechanisms and unsolicited e-mail communications.

(G) “Information Security Incident” means any actual or suspected unauthorized or accidental access to or loss, use,

disclosure, modification, destruction, acquisition or Processing of any Personal Information.

(H) “Instructions” means the PO and any amendment or other written agreement or documentation through which the

Data Controller instructs the Data Processor to perform specific Processing of Personal Information.

(I) “Notification Related Costs” means Agency’s or Client’s and its affiliates’ internal and external costs associated with

investigating, addressing and responding to an Information Security Incident, including but not limited to: (i) preparation a nd mailing or

other transmission of any notif ications or other communications to Agency or Client or their respective employees, agents or others as

Agency or Client deems reasonably appropriate; (ii) establishment of a call center or other communications procedures in response to

such Information Security Incident (e.g., Agency or Client service FAQs, talking points and training); (iii) public relations and other similar

crisis management services; (iv) legal, accounting, consulting and forensic expert fees and expenses associated with Agency’s. Client’s and

their affili ates’ investigation of and response to such Information Security Incident; and (v) costs for commercially reasonable credit

monitoring, identity protection services or similar services that Agency or Client determines are advisable under the circumstances.

(J) “Personal Information” means any information that is Processed in connection with the services specified in the PO

(1) relating to an identified or identifiable natural person, or (2) that identifies, relates to, describes, is reasonably ca pable of being

associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in

which it is maintained, that may be: (i) Processed at any time by Vendor in anticipation of, in connection with or incidental to the

performance of the PO , or (ii) derived by Vendor from such information. Personal Information includes, but is not limited to, the data

elements listed in section 140(o)(1)(A)-(K) of the California Consumer Privacy Act of 2018 (“ CCPA”), if any such data element identifies,

relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual

or household.

(K) “Privacy Laws” means all applicable international, federal, state, national, provincial, and local laws, statutes, rules,

regulations, directives, ordinances, self-regulatory frameworks, and governmental requirements, in each case currently in effect or as they

become effective, relating in any way to the privacy, protection, confidentiality, security, collection, use, disclosure, processing, retention,

transfer, or disposal of Personal Information, including without limitation: • European Data Protection Laws, including Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) and

implementing national legislation; • the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code §

1798.100 et seq., and its implementing regulations (collectively, the “CCPA/CPRA”); • the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq.;
• the Connecticut Data Privacy Act;
• the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.;
• the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.;
• the Texas Data Privacy and Security Act;
• the Florida Digital Bill of Rights;
• the Oregon Consumer Privacy Act;
• the Montana Consumer Data Privacy Act;
• the Iowa Consumer Data Protection Act;
• the Indiana Consumer Data Protection Act;
• the Tennessee Information Protection Act;
• the Delaware Personal Data Privacy Act;
• the New Jersey Data Privacy Act;
• the New Hampshire Privacy Act;
• the Minnesota Consumer Data Privacy Act;
• and any other similar comprehensive U.S. state or federal privacy, consumer data protection, or information security laws,

together with all amendments, regulations, guidance, and successor statutes thereto;

(ii) all applicable industry standards, codes of conduct, and self-regulatory frameworks relating to privacy, confidentiality, or information

security, to the extent contractually binding or legally enforceable; and

(iii) all applicable provisions of Agency’s or Client’s written policies, standards, requirements, privacy notices, or data protection

addenda, in each case provided to Vendor in writing and as in effect from time to time, relating to the privacy, confidentiality, or security

of Personal Information.

(L) “Data Privacy Framework” or “DPF” means, collectively, (i) the EU–U.S. Data Privacy Framework, (ii) the UK Extension

to the EU –U.S. Data Privacy Framework, and (iii) the Swiss –U.S. Data Privacy Framework, in each case as administered by the U.S.

Department of Commerce and as may be amended, supplemented, or replaced from time to time. (For the avoidance of doubt, the EU–U.S.

Privacy Shield Framework and the Swiss –U.S. Privacy Shield Framework are no longer valid transfer mechanisms and are not relied upon

under this Addendum.)

(M) “Process” (and its derivatives) means any operation or set of operations performed upon Personal Information,

whether or not by automatic means, including, without limitation, creating, collecting, aggregating, procuring, obtaining, ac cessing,

recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, making available,

aligning, combining, restricting, erasing and/or destroying the information.

(N) “Sub-Processor” means any entity engaged by Vendor (or further Sub -Processor) to Process Personal Information

on behalf and under the authority of Agency or Client.

(O) “Vendor” means the entity designated as “Vendor” in the PO or if no such entity is so designated the selling entity in

the PO.

(P) “Business Purpose”, “Deidentified” (and its derivatives), and “Sell” (and its derivatives) and “Share” shall have the

meaning ascribed to them in the CCPA/CPRA.

II. Privacy of Personal Information.

(A) The Parties acknowledge and agree as follows:

a. Agency, or Client, as the case may be, is acting as a Data Controller, and has the sole and exclusive authority to

determine the purposes and means of the Processing of Personal Information Processed under the PO, and Vendor is acting solely as a Data

Processor on behalf and under the Instructions of Agency or Client. Vendor acknowledges and agrees that between Vendor and Ag ency,

Agency or Client owns all Personal Information.

b. The Personal Information that Agency or Client discloses to Vendor is provided to Vendor only for limited and

specified Business Purposes, and neither Agency nor Client Sell or Share Personal Information to Vendor in connection with the PO.

c. During the time the Personal Information is disclosed to Vendor, neither Agency nor Client will have knowledge

or reason to believe that Vendor is unable to comply with the provisions of the PO.

(B) Vendor represents, warrants and covenants as follows:

a. Vendor shall hold in strict confidence any and all Personal Information and shall Process Personal Information

only to the extent, and in such manner, as is necessary to provide services for or on behalf of Agency and Client in accordance with the PO.

b. Vendor shall process Personal Information only on behalf of and in accordance with the Instructions of Agency

or Client, and only as necessary to perform the services specified in the PO (which the parties acknowledge and agree are for Agency’s or

Client’s Business Purposes), unless Vendor is otherwise required by applicable law, in which case Vendor shall inform Agency of that legal

requirement before Processing the Personal Information (unless informing Agency is prohibited by law on important grounds of public

interest). Vendor shall not (i) Sell or Share Personal Information, (ii) retain, use or disclose Personal Information (a) for any purpose other

than for the specific purpose of performing the services specified in the PO, or (b) outside of the direct business relationship between the

Parties. Vendor shall immediately inform Agency if, in Vendor’s opinion, an Instruction infringes Privacy Law, or (iii) combi ne Personal

Information received pursuant to the PO with Personal Information received from or on behalf of another person(s), or collected from

Vendor’s own interactions with individuals, unless permitted by applicable Privacy Laws.

c. Vendor shall ensure that any Vendor Personnel is only granted access to Personal Information on a need-to-know

basis, is subject to a duly enforceable contractual obligations that are substantially similar to those required by the PO, and only processes

Personal Information in accordance with the Instructions of Agency or Client.

d. Vendor shall immediately inform Agency in writing of any requests from Data Subjects with respect to Personal

Information, including without limitation, any request to exercise rights under Privacy Laws. Vendor shall direct the requesting individual

to submit the request directly to Agency at the address set forth on the front of the PO. Vendor shall cooperate with Agency if an individual

requests (i) access to his or her Personal Information, (ii) information about the categories of sources from which the Personal Information

is collected, or (iii) information about the categories or specific pieces of his or her Personal Information Processed by Vendor on Agency’s

behalf. Vendor shall cooperate with and provide assistance to Agency, at no cost to Agency, in a manner that allows Agency to timely comply

with its obligation to respond to Data Subject requests to exercise rights under Privacy Laws in connection with their Personal Information,

including by providing the requested information in a portable and , to the extent technically feasible, readily useable format that allows

the individual to transmit the information to another entity without hindrance. Vendor shall respond to such requests only as specifically

directed by Agency and in accordance with Agency’s written instructions and the PO.

e. Vendor shall assist Agency in complying with its obligations under Privacy Laws, including without limitation,

Agency’ and Client’s obligations under European Data Protection Laws to implement appropriate data security measures, to carry out a

data protection impact assessment, and to consult the competent supervisory authority.

f. Vendor shall maintain internal record(s) of Processing activities, copies of which shall be provided to Agency by

Vendor upon Agency’s request.

g. Vendor shall notify Agency immediately in writing of any subpoena or other judicial or administrative order by a

government authority or proceeding seeking access to or disclosure of Personal Information. Agency shall have the right to defend such

action in lieu of and/or on behalf of Vendor. Agency may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with

Agency in such defense.

(C) Vendor certifies that it understands and will comply with the requirements and restrictions set forth in this

Addendum, the confidentiality and non-disclosure agreement between Vendor and Agency, and the PO.

III. Data Transfers.

(A) Vendor shall

with respect to any Personal Information received by or on behalf of Agency or Client from the European

Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland to the exten t Vendor is certified under the applicable Data Privacy

Framework, Vendor shall: (a) provide at least the same level of protection for such Personal Information as is required by the Data Privacy

Framework Principles, including the Supplemental Principles, to the extent applicable; (b) promptly notify Agency if Vendor d etermines

that it can no longer meet its obligation to provide the level of protection required by the Data Privacy Framework Principles; and (c) upon

notice from Agency, take reasonable and appropriate steps to stop and remediate, as directed by Agency, any Processing of such Personal

Information that Agency reasonably determines is not consistent with the Data Privacy Framework Principles or applicable Privacy Laws..

(B) Vendor shall not transfer Personal Information outside the country from which the Personal Information was

originally delivered or made available to Vendor, or from which Vendor otherwise accessed or obtained such Personal Information, (or, if

it was originally delivered to a location inside the EEA, UK or Switzerland, outside the EEA, UK or Switzerland) for Processing without the

explicit written consent of Company. Where Vendor, with the consent of Company, transfers such Personal Information, Vendor shall

comply with Privacy Laws and implement a data transfer mechanism (e.g. DPF certification or signing the Standard Contractual Clauses)

in accordance with Privacy Laws to the extent required for such cross-border transfer.

(C) Where Personal Information subject to European Data Protection Laws is transferred to a country that has not been

deemed by the European Commission to provide an adequate level of protection and the Data Privacy Framework does not apply, Vendor

shall execute the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 (Module Two:

Controller-to-Processor).).

(D) Where Personal Information subject to UK Data Protection Laws is transferred outside the UK and the Data Privacy

Framework does not apply, Vendor shall execute either (i) the UK International Data Transfer Agreement, or (ii) the UK Addendum to the

EU Standard Contractual Clauses, as applicable. available at https://commission.europa.eu/law/law-topic/data-protection/international-

dimension-data-protection/standard-contractual-clauses-scc_en

IV. Sub-Processing.

(A) Vendor shall not share, transfer, disclose, make available or otherwise provide access to any Personal Information to any

third party, or contract any of its rights or obligations concerning Personal Information, unless Agency or Client has authorized Vendor to do

so in writing. Where Vendor, with the consent of Agency or Client, provides access to Personal Information to a Sub-Processor, Vendor shall

enter into a written agreement with each such Sub-Processor that imposes obligations on the Sub-Processor that are the same as those imposed

on Vendor under the PO and requires the Sub-Processor to provide at least the same level of protection as is required by the PO. Vendor shall

only retain Sub-Processors that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Information.

Vendor shall remain fully liable to Agency and Client for its obligations under the PO, even if such obligations are delegated to a Sub-Processor.

(B) To the extent Vendor provides a third -party Processor access to Personal Information received by Agency or Client

from individuals in the EEA, UK or Switzerland, Vendor shall (i) transfer the Personal Information to the third-party Processor only for the

limited and specified purposes instructed by Agency or Client, (ii) ascertain that the third-party Processor is obligated to provide at least

the same level of privacy protection as is required by the Data Privacy Framework principles, (iii) take reasonable and appropriate steps

to ensure that the third-party Processor effectively Processes the Personal Information transferred in a manner consistent with the Data

Privacy Framework principles, (iv) require the third-party Processor to notify Vendor if the third -party Processor determines that it can

no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles, and (v ) upon notice,

including under (iv) above, take reasonable and appropriate steps to stop and remediate unauthorized Processing.

V. Compliance with Applicable Laws.

(A) Vendor shall comply with all applicable Privacy Laws and provide the level of privacy protection for Personal

Information as is required by applicable Privacy Laws.

(B) No applicable law, legal requirement, enforcement action, investigation, litigation or claim prohibits Vendor from (i)

fulfilling its obligations under the PO, or (ii) complying with Instructions it receives from Agency or Client concerning Personal Information.

Agency or Client may take any reasonable and appropriate steps to ensure that Vendor uses Personal Information in a manner consistent

with Agency’s or Client’s obligations under applicable Privacy Laws. In the event a law, legal requirement, enforc ement action,

investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Vendor’s ability to fulfill its obligations

under the PO, Vendor shall promptly notify Agency in writing and Agency or Client may, in its sole discretion and without penalty of any

kind to Agency or Client, suspend the (i) transfer or disclosure of Personal Information to Vendor or (ii) access to Personal Information by

Vendor, and terminate any further Processing of Personal Information by Vendor, and terminate the PO, if doing so is necessary to comply

with Privacy Laws. Agency or Client may take any reasonable and appropriate steps to stop and remediate the unauthorized use of Personal

Information.

(C) Vendor shall promptly notify Agency but in no event later than twenty-four (24) hours if at any time Vendor makes

a determination that it can no longer meet its obligations under this Addendum or applicable Privacy Laws.

(D) Vendor shall enter into any further data processing agreement reasonably requested by Agency or Client for purposes

of compliance with Privacy Laws. In case of any conflict between this Addendum and any such further privacy, confidentiality or

information security written agreement, such further written agreement shall prevail with regard to the Processing of Personal

Information covered by it.

VI. Data Security.

(A) Vendor shall develop, implement and maintain a comprehensive written information security program that complies

with applicable Privacy Laws as well as the terms and conditions of Exhibit A and the PO. Vendor’s information security program shall

include reasonable and appropriate administrative, technical, physical, organizational and operational safeguards and other s ecurity

measures to (i) ensure the security and confidentiality of Personal Informati on; (ii) protect against any anticipated threats or hazards to

the security and integrity of Personal Information; and (iii) protect against any Information Security Incident. These measures shall include,

as appropriate and without limitation, pseudonymiz ation, deidentification, aggregation or encryption of the Personal Information; the

ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore

the availability and access to the Personal Information in a timely manner in the event of a physical or technical incident; and a process for

regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuri ng the security of the

Processing.

(B) Vendor shall perform services in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”), and

hereby acknowledges its responsibility for the security of any Cardholder Data (as such term is defined in the PCI DSS), whic h it stores,

transmits or processes in connection with the PO. Vendor shall perform any and all tasks, assessments, reviews, penetration tests, scans

and other activities required under the PCI DSS for companies in the same category(s) as Agency and Client (including any compliance

guidance issued by the PCI Data Security Council or its subordinate bodies) or otherwise to validate during the term of the PO its

compliance with the PCI DSS as it relates to the system elements and portions of the cardholder data environment (as such ter ms are

defined in the PCI DSS) for which Vendor is responsible. Upon Agency’s or Client’s request, Vendor shall deliver to Company copies of all

documentation necessary to verify such compliance, including without limitation, any attestation of compliance, report on compliance,

self-assessment questionnaire, or testing or assessment results.

(C) Vendor shall exercise the necessary and appropriate supervision over Vendor Personnel to maintain appropriate

privacy, confidentiality and security of Personal Information in accordance with the PO . Vendor shall provide training, as appropriate,

regarding the privacy, confidentiality, and information security requirements set forth in the PO to relevant Vendor Personnel who have

access to Personal Information.

(D) Promptly upon the expiration or earlier termination of the PO, or such earlier time as Agency or Client requests,

Vendor shall return to Agency, Client or its designee, or at Agency’s or Client’s request, securely delete, destroy or render unreadable or

undecipherable if return is not reasonably feasible or desirabl e to Agency or Client (which decision shall be based solely on Agency’s or

Client’s written statement), each and every original and copy in every media of all Personal Information in Vendor’s, its affiliates’ or any

Sub-Processor’ possession, custody or control. Promptly following any return or alternate action taken to comply with this paragraph,

Vendor shall provide to Agency or Client a completed Officer’s Certificate certifying that such retur n or alternate action occurred. In the

event and during the period that Vendor is unable to perform such delivery, deletion or destruction of certain Personal Information for

reasons permitted under applicable law, Vendor warrants that it shall (i) promptly inform Agency or Client of the reason(s) for its refusal

of the deletion request, (ii) ensure the privacy, confidentiality and security of the Personal Information in accordance with the PO, and (iii)

delete the Personal Information promptly after the reason(s) for Vendor’s refusal has expired, and that Vendor shall not use or disclose

any Personal Information after termination of the PO.

VII. Data Breach Notification.

(A) Vendor shall immediately inform Agency in writing of any Information Security Incident of which Vendor becomes

aware, but in no case longer than twenty -four (24) hours after it becomes aware of the Information Security Incident or as required by

applicable law (whichever is shoter). The notification to Agency shall include all available information regarding such Information Security

Incident, including information on: (i) the nature of the Information Security Incident including where possible, the categor ies and

approximate number of affected Data Subjects and the categories and approximate number of affected Personal Information records; (ii)

the likely consequences of the Information Security Incident; and (iii) the measures taken or proposed to be taken to address the

Information Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.

(B) Vendor shall promptly investigate such Information Security Incident, take all necessary and advisable corrective

actions, and shall cooperate fully with Agency and Client in all reasonable and lawful efforts to prevent, mitigate or rectif y such Breach.

Vendor shall provide Agency and Client with such assurances as Agency or Client shall request that such Information Security In cident is

not likely to recur. Vendor shall provide such assistance as required to enable Agency and Client to satisfy their respec tive obligation(s)

under Privacy Laws. The content of any filings, communications, notices, press releases or reports related to any Information Security

Incident must be approved by Agency prior to any publication or communication thereof.

(C) Agency or Client shall have the right at any time after learning of an Information Security Incident to engage and

involve external forensic firms in the investigation of the Information Security Incident (which will include a right to investigate Vendor’s

systems), and Vendor shall comply with all reasonable requests of such external forensic firm. Vendor shall use commercially reasonable

efforts to preserve all applicable evidence relating to the Information Security Incident until the forensic investigat ion is completed or

confirmed to Vendor that it waives its right to conduct such an investigation.

(D) In the event of an Information Security Incident involving Personal Information in Vendor’s possession, custody or

control or for which Vendor is otherwise responsible, Vendor shall reimburse Agency or Client, as the case may be, on demand for all

commercially reasonable Notification Related Costs (as defined below) incurred by Agency or Client, as the case may be arising out of or

in connection with any such Information Security Incident.

VIII. Audit.

(A) Vendor shall make available to Agency or Client all information necessary to demonstrate compliance with the

obligations set forth in the PO and allow for and contribute to audits, including inspections, conducted by Agency or Client or another

auditor mandated by Agency or Client. Without limiting the generality of the foregoing, on an annual basis, Vendor (including its affiliates

and its and their Sub-Processors), at Vendor’s expense, shall require auditors to conduct an examination of the controls placed in operation

and a test of operating effectiveness, as defined by Statement on Standards for Attestation Engagements No. 18, Reporting on Controls at

a Service Organization (or its successors) (“SSAE 18”), of the services performed by Vendor for or on behalf of Agency or Client and issue

SOC 1 and SOC 2 reports (Type II) thereon (collectively “SOC Reports”) for the applicable calendar year. Vendor (including its affiliates and

its and their Sub- Processors) shall deliver to Agency a copy of the SOC Reports within six (6) weeks after conducting the SSAE 18

assessment for the calendar year. Vendor shall prepare and implement a corrective action plan to correct any deficiencies and resolve any

problems identified in such reports. Vendor shall correct any audit control issues or weaknesses ident ified in any SOC Reports, at no

additional cost to Agency or Client. If specific audit recommendations are not implemented by Vendor, then Vendor should implement such

alternative steps as are reasonably satisfactory to Agency and Client for the purposes o f minimizing or eliminating the risks identified in

any such SOC Report.

(B) Agency or Client shall have the right to monitor Vendor’s compliance with this Addendum, including, but not limited

to, ongoing manual reviews and automated scans and regular assessments, audits or other technical and operational testing at least once

every 12 months. During normal business hours, and reasonable prior notice, Agency or Client and/or its authorized representatives may

inspect Vendor’s facilities and equipment, and any information or materials in Vendor’s possession, custody or control, relating in any way

to Vendor’s obligations under the PO. An inspection performed pursuant to this Addendum shall not unreasonably interfere with the

normal conduct of Vendor’s business. Vendor shall cooperate fully with any such inspection initiated by Agency or Client.

(C) Vendor shall notify Agency in writing in the event of a material change to Vendor’s internal security plans, controls

or measures.

IX. Liability. Vendor will indemnify and hold harmless Agency, its parent, affiliates, Client, and their respective officers, directors,

employees, agents, shareholders, and licensees from and against all claims, actions, liabilities, losses, fines, penalties, c osts and expenses

(including without limitation reasonable attorneys’ fees) relating to and/or arising from: (i) any violation of this Addendum, (ii) Vendor’s

negligence, gross negligence, bad faith, fraudulent acts or omissions, or intentional or willful misconduc t, (iii) Vendor’s use of any Sub –

Processor providing services in connection with or relating to Vendor’s performance under the PO; and (iv) any Information Security

Incident involving Personal Information in Vendor’s possession, custody or control, or for which Vendor is otherwise responsi ble. In no

event shall Vendor’s liability be excluded or limited for a violation of its obligation under the PO.

X. Injunctive Relief. Vendor agrees and acknowledges that any Processing of Personal Information in violation of the PO, Agency’s

instructions, or any Privacy Law may cause immediate and irreparable harm to Agency and/or Client for which money damages may not

constitute an adequate remedy. Therefore, Vendor agrees that Agency or Client may obtain specific performance and i njunctive or other

equitable relief, in addition to its remedies at law. Agency and Client shall be entitled to such equitable relief in add ition to all other

remedies at law or in equity.

XI. No Protected Health Information. Vendor will ensure that it does not provide, or make available, to Agency or Client any “protected

health information” (as such term is defined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Health

Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations), unless the Vendor and

Agency have first entered into a mutually agreed business associates agreement (BAA).

Exhibit A

Systems Access & Security Addendum

1. Definitions.

a. “Agency Data” means all data, content, information or materials provided by, or on behalf of, Agency, to Vendor in connection

with this Agreement and all data, content and information processed, generated, derived or output from Agency’s use of Vendor’s

products and services.

b. “Applicable Law” means all applicable laws, rules and regulations and other enactments, orders, mandates or resolutions issued

or enacted by any governmental entity (including any domestic or foreign, supranational, state, local, or other government) o r

applicable guidelines or principles issued by any governmental entity in connection with this Agreement, including Privacy laws;

each as the same are updated, amended or replaced from time to time.

c. “Information Security Program” is a documented set of organizational IT security policies, guidelines, procedures, standards,

and controls designed to protect a company’s infrastructure.

d. “AI Tool” means an engineered or machine-based system that is designed to operate with varying levels of autonomy and that

may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the inputs how to generate

outputs such as content, predictions, recommendations, or decisions influencing real or virtual environments (and includes,

without limitation, generative artificial intelligence tools, large language and general purpose artificial intelligence models, and

predictive artificial intelligence).

2. Access to Agency Systems. Vendor shall comply with all electronic security measures, policies, standards and procedures regarding

access to Agency ’s systems which Agency has in place, or Agency provides or makes available separately to Vendor (the “ System

Access Safeguards”). Without limiting the foregoing, Vendor shall (a) not tamper with, compromise or circumvent the System Access

Safeguards and (b) ensure that only those users who are specifically authorized to gain access to Agency’s systems and environments

gain such access. If at any time either party determines that (i) Vendor or any of its personnel has attempted to circumvent or has

circumvented the System Access Safeguards, (ii) an unauthorized person has accessed or may access, through Vendor, Agency ’s

systems and environments, or (iii) through Vendor a person has engaged in activities that may lead to a breach of the System Access

Safeguards, then, in each case, Vendor shall immediately: (A) notify Agency; (B) terminate such person’s access; and (C) if Vendor or

any of its personnel was responsible for the circumvention, attempted circumvention, unauthorized access, destruction or alteration,

(1) investigate and cure such circumvention, attempted circumvention, unauthorized access, destruction or alteration and (2) provide

satisfactory assurance to Agency that such circumvention, attempted circumvention, unauthorized access, destruction or alteration

shall not recur. If Agency reasonably determines that Vendor or its personnel has attempted to or has circumvented the System Access

Safeguards, Agency may immediately terminate any or all Vendor’s or its personnel’s access to the systems and environments. Failure

to comply with the System Access Safeguards shall be deemed a material breach of this Addendum.

3. Vendor Security Measures. Agency requires its vendors to have in place a robust Information Security Program, which aims to

protect Agency Data and the integrity of Vendor’s systems. Vendor’s information security program must include, but should not be

limited to, the following:

a. Information Security Policies:

♦ Vendor will use a documented security control framework based upon an accepted industry standard for governing the

information security practices by the Vendor (e.g., NIST, HITRUST, ISO, ANSSI, etc.). Such framework will utilize a standard

set of controls, and shall be meant to include, but not be limited to, commercially available and widespread use of protective

measures.

♦ Vendor shall develop and maintain comprehensive policies and enforcement procedures based on the adopted security

framework.

♦ Vendor shall review its policies not less than annually and whenever there is a material change in practices or regulatory

requirements.

♦ Vendor shall have a designated employee or group of employees who shall maintain said policies and procedures of

enforcement.

♦ Vendor shall monitor its policies and procedures to ensure that the program described therein is operating in a manner

reasonably calculated to prevent a security breach.

b. Security Organization:

♦ Vendor shall designate an individual and adequate support staff to be responsible for information security within their

organization.

♦ This designated individual shall be a qualified CISO or security designee, managing and responsible for requirements

outlined in this Exhibit A.

c. Physical Security:

♦ Vendor shall maintain appropriate physical security controls, including facility and environmental controls, to prevent

unauthorized physical access to Vendor processing resources and areas in which Agency Data is stored or processed.

♦ A layered physical security model, including but not limited to the following safeguards:

i. Access to data processing facilities is restricted to approved employees with specific roles.

ii. All employees who access Personal Information required to sign confidentiality agreements.

iii. Access to data processing facilities is protected using one or a combination of the following: magnetic or chip cards,

keys, electronic door openers, biometric controls.

iv. Data processing facilities are monitored 24/7 by security services and/or entrance security staff.

v. Data processing facilities are protected by intrusion detection systems and 24/7 CCTV monitoring systems.

vi. Access logs, activity records, and camera footage are retained.

d. Risk Management:

♦ Vendor shall develop and use a defined risk assessment methodology.

♦ Vendor shall conduct regular risk assessments and reviews on a regular basis to ensure controls are properly operating.

♦ Vendor will document results of all risk assessments, develop action plans for the mitigation of findings, and track the

progress of such action plans.

e. Configuration and Change Management:

♦ Vendor shall define and control formal, documented configuration and change management policies. Said policies shall

address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and

compliance. Vendor shall review said policies and update as needed, but in no case shall such reviews occur less than

annually.

♦ Vendor shall ensure that all changes to systems are documented and follow recognized change control procedures.

♦ Vendor shall ensure that segregation of duties exists such that the individual or system performing changes is not the same

individual or system which approves such changes.

f. Third-Party Management:

♦ Vendor shall conduct risk assessments and reviews upon all third parties that may have access to or supply data within

scope of data confidentiality requirements or under regulatory compliance requirements no less than once per year. A

summary of such asse ssment methodology, along with a summary of results, shall be provided to Agency upon written

request.

♦ Vendor shall provide to Agency, upon request, information on its third -party security audit processes, procedures and

controls, including a summary report on any material findings and remediation efforts relevant to services authorized

under the Agreement.

♦ Unless specifically authorized and agreed to by the parties in a the PO, Vendor shall not provide or allow access to Agency

Data by any third-party.

♦ Vendor shall be responsible for ensuring all contracted downstream partners and cloud service providers used in the

delivery of services authorized under the Agreement meet or exceed the security obligations contained in this Addendum.

♦ Vendor shall report to Agency within thirty (30) days of execution of this Addendum, and upon any change, the names and

locations of all downstream partners with access to Agency Data, and the nature of the services provided by those partners,

that necessitates access to Agency Data. Vendor shall further report to Agency a consolidated list of the names and all

locations of all downstream partners with access to Agency Data, and the nature of the services provided by those partners

that necessitates access to Agency Data annually.

g. Encryption Requirements:

♦ Vendor shall encrypt all Agency Data regardless of its location at rest and in transit. All such encryption shall minimally

meet the stated encryption requirements.

♦ Vendor shall utilize dedicated encryption keys. All encryption keys used to protect Agency Data shall be uniquely

associated to Agency. The use of said encryption keys to encrypt non-Agency data is forbidden.

♦ All keys will be protected against modification; secret and private keys need to be protected against unauthorized

disclosure.

♦ FIPS-approved or NIST- recommended or ANSSI- recommended cryptographic algorithms commensurate with key size

shall be used whenever cryptographic services are applied.

♦ Vendor shall implement full disk encryption on any built-in or removable storage media in any Vendor controlled personal

computer device which may access, store, process, transmit, or create Agency Data. All such encryption shall minimally

meet the Advanced Encryption Standard with a 256 -bit cypher key (“AES -256”) as outlined in the Federal Information

Processing Standards publication 197 (“FIPS 197”).

♦ In the event that tapes are used for system backup, such tapes shall be encrypted and appropriately inventoried and logged

as to location and planned destruction date.

h. Transmission Protection:

♦ Vendor shall encrypt all data, records, and files containing Agency Data, including email, that shall be transmitted wirelessly

or travel across public networks.

♦ TLS v1.2 or higher must be used for data transmission.

i. Virus, Malware, and Endpoint Detection and Protection:

♦ Vendor shall install, enable, and keep current reputable, commercially available anti -virus, anti-malware, and endpoint

detection and protection software on all Vendor servers and user end point computers used in accessing, storing,

processing, transmitting, or creating Agency Data.

j. Remote Access Requirements:

♦ All permitted and authorized remote sessions that may entail access to Agency Data shall only be performed via a secure

remote access solution that ensures end to end encryption and secure authentication methodology.

k. Password, Access and Identity Management:

♦ Vendor shall require for Vendor representatives maintain access rights and levels are based on employee job function and

role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.

♦ Vendor shall require that all Vendor representatives with access to Agency Data use a unique username and password

(collectively “Login Credentials”). Each password shall have an effective use period of no more than ninety (90) days. Said

password shall be a minimum of ten (10) characters in length and include at least three (3) of the following: alpha, numeric,

special character, and case sensitivity. Additionally, said password shall not contain any portion of username, and shall not

be reused for a minimum of three hundred sixty- five (365) days.

♦ Vendor shall ensure that Login Credentials are terminated within twenty-four (24) hours following the removal of Vendor

Representatives from provision of the Services for any reason.

♦ Vendor shall use unique logins on all network equipment whenever commercially possible.

♦ Vendor shall not allow the sharing of passwords.

♦ Vendor shall not allow the use of Vendor supplied default credentials.

♦ Not less than monthly, Vendor shall review access log files for indications of misuse of credentials, including but not limited

to, sharing of credentials, sharing of passwords, etc.

♦ Not less than monthly, Vendor shall review access log files for suspicious login activity. Any such identified activity shall

be promptly investigated and appropriately mitigated.

♦ Automatic time-out of user if session left idle, identification and password required to reopen.

♦ Application of Multi-Factor Authentication (MFA) for systems and staff supporting all contracted services.

l. System Access Control and Monitoring:

♦ Vendor shall implement a formal user registration and deregistration procedure for granting and revoking access to

Vendor Processing Resources. Upon termination of any of Vendor Representatives, Vendor shall ensure that such Vendor

Representative’s access to Agency Data is revoked. In the event of an involuntary termination, Vendor shall ensure all

access is revoked immediately.

♦ Vendor shall maintain appropriate access control mechanisms to prevent all access to Agency Information Systems and/or

Vendor Processing Resources, except by (a) specified users expressly authorized by Agency and (b) Vendor

Representatives who have a “need to access” to perform a particular function in support of Vendor Processing.

♦ Vendor shall maintain appropriate mechanisms and processes for detecting, recording, analyzing, and resolving

unauthorized attempts to access Agency Information Systems or Vendor Processing Resources.

♦ Vendor shall review access logs not less than quarterly to ensure that access permissions are appropriate and necessary.

♦ Vendor’s operating system security mechanisms must be configured to support appropriate security procedures, and

should at a minimum:

i. Identify and verify the identity of each authorized user; and

ii. Record successful and failed system accesses.

♦ Vendor shall ensure that segregation of duties exists such that the individual or system granting access is not the same

individual or system which approves such access.

m. Cloud Computing:

♦ If Vendor is providing cloud services (IaaS, PaaS, SaaS) as part of this engagement, Vendor will align practices with the CSA

CCM and SOC2 standards.

♦ Vendor shall ensure that all Agency Data stored in any cloud -based solution be encrypted per all aforementioned

encryption requirements.

♦ Where appropriate, applicable and feasible Agency Data shall be stored in data centers that are closest to the subjects for

which the data is collected and housed. If out of subject area data storage is required, only Agency approved geolocations

shall be utilized.

♦ Vendors delivering cloud computing services shall define and provide a listing with roles and functions that cover all

aspects of shared responsibilities for control requirements in IaaS, PaaS, and SaaS environments. Such list shall be updated

upon material change or at a minimum annually and shall be delivered to Agency upon request.

n. Secure Software Development:

♦ If Vendor develops and provides software as part of this engagement, Vendor will maintain secure software development

lifecycle, policies and practices aligned with industry standards such as OWASP.

♦ At minimum, Vendor shall ensure all software developers are trained on secure coding principles and the OWASP Top 10

annually, or an industry equivalent secure software development framework.

♦ The Vendor shall implement policy requirements in place that require peer reviews of all software code supporting Agency

deliverables.

♦ The Vendor shall have commercial tools in place to detect security vulnerabilities and ensure that no known Common

Vulnerabilities and Exposures (CVEs) with a severity rating of high or critical are promoted to a production release without

Agency’s agreement.

♦ The Vendor shall document security requirements for all their deliverables and be able to demonstrate that they

successfully tested for successful implementation of all documented security requirements.

♦ If requested by Agency, Vendor shall provide a copy of their current software code base so the Agency can scan the code

for vulnerabilities.

o. Network and Communication Controls:

♦ Vendor shall implement appropriate controls to ensure that only authorized devices are provisioned network access when

physically connected to the network.

♦ As necessary, Vendor shall provision logically or physically segregated networks to allow guest access for visitors to their

facilities. In no case shall Vendor allow guests, or other non -Vendor managed and controlled personnel, access to

production networks.

♦ All Vendor controlled wireless connections shall be secured utilizing Wi-Fi Protected Access 2 (“WPA2”) or better security

protocol.

♦ Vendor shall ensure that interconnections within Vendor, with other companies, and with the Internet (“Access Points”),

whether wired or wireless, into the Vendor network are protected by using firewalls, secure tunnels, and access lists on

routers.

♦ Vendor shall ensure that a network management system is used to monitor its local network and servers. Thresholds and

alarms shall be established to notify Vendor of potential problems or outages.

♦ Vendor shall implement either host-based or network-based Intrusion Detection Solution (“IDS”) or Intrusion Protection

Solution (“IPS”) on any Vendor controlled network used to process, store, transmit, or access Agency Data. Appropriate

response and recovery plans to monitor potential unauthorized access to said network and systems shall be implemented.

♦ Vendor shall implement appropriate data governance and data protection measures and solutions to ensure compliance

and protection of regulated data.

♦ Vendor must ensure that all transfer methods used to transmit sensitive data are encrypted using supported encryption

protocols and ciphers.

p. Vulnerability, Management and Patching:

♦ Vendor shall adhere to applicable standards governing the patch management criticality rankings and patching time frame

requirements for all systems and applications including, but not limited to, switches, routers, appliances, servers,

workstation PC’s, commercial software, databases, and open-source software.

♦ Vendor shall conduct comprehensive scans for known vulnerabilities on all externally facing systems no less than one time

per month

♦ Vendor shall conduct comprehensive scans for known vulnerabilities on the entire network no less than once per quarter.

♦ All critical vulnerabilities must be remediated within 48 hours of release unless application requirements preclude such

patching, with a 100% target effectiveness. All high vulnerabilities must be remediated within 7 days of release unless

application requirements preclude such patching, with a 90% target effectiveness. Should such preclusion exist, mitigating

controls offering the same level of protection must be implemented within the aforementioned time frame.

♦ Vendor shall ensure that all patches are implemented in a timely manner. Medium and low patches must be implemented

within thirty (30) days of release unless application requirements preclude such patching, with an 80% target

effectiveness. Should such preclusion exist, mitigating controls offering the same level of protection must be implemented

within the aforementioned time frame.

♦ Annual penetration tests on all Internet facing assets performed by a different leading testing company every year to

ensure test independence. Vendor will make available all third -party attestations resulting from vulnerability scans and

penetration tests per independent external audit reports.

q. Secure Disposal:

♦ All media containing Agency Data shall be disposed of via appropriate physical destruction (e.g., shredding, drilling,

crushing, incinerating, etc.). Disposal methodology shall be driven by category of information and NIST or ANSSI guidance

on appropriate minimum destruction techniques and procedures. Media shall include any storage capability in owned or

leased equipment to include Multi -Function Devices such as leased copy/printer/fax machines. The destruction shall be

certified in writing and evidence provided to the Agency upon a written request.

r. Vendor Employee Training and Related Matters:

♦ Vendor shall perform background checks, where allowable by local law and regulations, on any Vendor Representative

with potential access to Agency Data to the extent permitted by applicable laws. Such background checks must be

performed prior to allowing such individual to access Agency Data; and Vendor shall not allow any individual who does

not have a satisfactory background check to access Agency Data.

♦ Vendor shall train new Vendor Representatives – including contingent workers – on the acceptable use and handling of

Agency Data.

♦ Vendor shall provide periodic and mandatory Information Security training and awareness to its Vendor Representatives.

Such training shall occur not less than annually.

s. Audit and Assessment:

♦ At least once per calendar year, Agency reserves the right, upon reasonable notice of 30 days in writing, and at Agency’s

expense, to review said Vendor risk program, provision of services to date and ability to provide services going forward.

This right includes the use of Agency personnel or may be delegated to a third-party.

♦ Vendor will provide any audit support and assistance reasonably requested by Agency or its representatives in conducting

any such audit at no additional cost to Agency. As part of the audit support, Vendor will allow Agency and its auditors access

to any employees, freelancers, agents, subcontractors and other personnel performing or responsible for the services, to

the extent permitted by applicable Law or, with respect to subcontractors, the applicable agreement.

♦ In the event of a Computer Security Incident or Security Breach, the calendar limitation listed above is not applicable.

♦ Agency reserves the right to audit compliance with the subject matter covered within this Addendum on an annual basis,

onsite at Vendor location(s). This right includes the use of Agency personnel or may be delegated to a third- party.

♦ Agency reserves the right to use different methods for Audits and Assessments, including questionnaires, in person or

remote assessments.

t. Security Contacts:

♦ Vendor shall assign an individual to act as the primary security liaison between Vendor and Agency. This person shall be a

trusted source at Vendor for the distribution of passwords and other confidential security matters.

♦ In the event that the above listed person is no longer acting in the role of security liaison, Vendor shall notify Agency of

said change by sending the above information for the new security liaison to [email protected].

u. Artificial Intelligence

♦ If any AI Tools will have access to Agency systems, Vendor must ensure that security measures and access controls that

should be in place to protect AI-related data and functionalities.

♦ Vendor must ensure that its AI Tools are robust and reliable, able to handle unexpected inputs and conditions without

failing or producing incorrect outputs.

♦ Vendor must ensure that all audit trails and detailed logs for all activities related to AI Tools are recorded to assist in

potential incident investigations.

♦ Vendor must ensure algorithmic transparency and explainability and have a process for documenting decision-making.

♦ Vendor must ensure that its AI Tools has gone through ethical reviews and approved for use.

4. Security Incident. Vendor shall notify Agency promptly upon its becoming aware of: (a) any actual or reasonably suspected breach

of security, which when reasonably suspected poses a risk to the security, confidentiality or integrity of Agency Data; (b) any actual

or reasonably suspected unauthorized access to or acquisition, use, loss, destruction, alteration, compromise or disclosure o f any

Agency Data; or (c) any circumstance pursuant to which any Applicable Law requires notification of such breach to be given to affected

parties or other activity in response to such circumstance (each, a “Security Incident ”). In the event of a Security Incident or

reasonably likely Security Incident, Vendor shall notify the appropriate Agency personnel by telephone and e – mail within twenty

four (24) hours and by a confirmatory written notice as soon as practicable (but in any event within two (2) business days) following

discovery or notification of such actual or likely breach. In addition, an email notification shall be sent to

[email protected] per the above defined timeline. In the event of a Security Incident, Vendor shall, at Vendor’

expense: (i) investigate the effects of the actual or likely Security Incident; (ii) execute the remediation plan to remediate the effects

of such actual or likely Security Incident and prevent further such incidents; (iii) cooperate with Agency to comply with all Applicable

Laws relating to unauthorized use or disclosure of Agency Data; and (iv) mitigate the losses that may be suffered as a result of any

such actual or likely Security Incident, including, but not limited to, assisting Agency with making appropriate notifications, or

providing, as approved and directed by Agency, ongoing credit or other monitoring that may be required as a result of an actual or

likely Security Incident. Without limiting the foregoing, Agency shall make the final decision on notifying (includin g the contents of

such notice) Agency’s clients, employees, affected individuals and/or the general public with agreement of Vendor and in coordination

with Vendor teams of such Security Incident, and the implementation of the remediation plan. If a notification to Agency’s clients or

affected individuals is required under any Applicable Laws then notifications to all individuals who are affected by the same event

(as reasonably determined by Agency) shall be considered legally required. Vendor shall reimburse Agency for all notification related

costs incurred by Agency arising out of or in connection with any such Security Incident.

5. Continuity of Operations.

a. Business Continuity Management: Vendor shall have a Business Continuity Program in place that ensures Vendor’s ability to

continue to provide services to Agency, per agreed upon requirements or service levels.

b. Risk Assessments: Vendor shall conduct Risk Assessments, deemed necessary and a Business Impact Analysis on an annual

basis.

c. Vendor shall have Business Continuity Plans that include recovery strategies and actions to address potential impacts. Plans

should be updated and reviewed at minimum, on an annual basis.

d. Plan Testing: Vendor shall test their Business Continuity Plans on a regular basis to ensure Plans are accurate and reflect

Vendor’s recovery capabilities. Vendor should include Agency in testing, where applicable.

e. Documentation: Vendor shall provide Agency with copies of their Business Continuity Plan and Test Results, as requested by

Agency.

6. Disaster Recovery.

a. During the term of the Agreement, Vendor shall maintain a disaster recovery (DR) or highly availability (HA) solution and related

plan that is consistent with Industry Standards for the Services being provided.

b. Plan Testing: Vendor will test the DR or HA solution and related plan at least once every twelve (12) months or more frequently

if test results indicate that critical systems were not capable of being recovered within the timelines defined within the plan.

c. Documentation: Upon request, Vendor will provide summary test results for each exercise which will include the actual

recovery point (how much data lost, if any) and recovery times (time to bring back applications and/or Services, if not automated

failover) achieved within the exercise. Vendor will provide agreed upon action plans to promptly address and resolve any

deficiencies, concerns, or issues that may prevent the critical functionality of the application from being recovered.

LAST UPDATED: February 2026