Definitions
(a) “Affiliate” means, with respect to any Person, any other Person that
(i) is directly or indirectly owned or controlled by,
(ii) is directly or indirectly under common ownership or control with, or
(iii) directly or indirectly owns or controls, such Person.
(b) “Agreement” includes this Agreement, the Term Sheet, and the BAA.
(c) “BAA” or “Business Associate Agreement” means the Business Associate Agreement attached to this Agreement as Exhibit “B”
(d) “BPM” means BenefitPlan Manager Corp. and all “Representatives” (as defined below) of BenefitPlan Manager Corp.
(e) “Computer Environment” means networks, servers, systems, computers, databases and applications of a party, including, without limitation, any such assets owned, licensed, leased or subscribed to by a party.
(f) “Confidential Information” means all confidential, proprietary and/or technical information of Client,
including, without limitation, (i) information regarding employees, business processes, methodologies,
technical knowledge, trade secrets, user IDs, passwords, third-party information required to be maintained
by Client as confidential, and (ii) related non-technical business information which is clearly identified as
confidential at the time of disclosure or which BPM knows or should have reason to know is confidential.
(g) “Client Assets” means “Client Information” (as defined below) and/or the “Client Computer Environment” (as defined below),
as applicable.
(h) “Client Computer Environment” means the networks, servers, systems, computers, databases and applications of Client,
including, without limitation, any such assets owned, licensed, leased or subscribed to by Client, such as networks, servers,
systems, computers, databases and applications of a “Representative” (as defined below) of Client that are licensed, leased or subscribed to by Client.
(i) “Client Information,” which includes Confidential Information, means any and all digital and non-digital information and
materials of Client communicated or otherwise made accessible to BPM, in any way, whether in tangible, visual or oral form,
pertaining to the products, services, customers, employees, locations or Representatives of Client, including,
without limitation, “Personal Data” (as defined below) and information regarding the Client Computer Environment, and any and
all information and materials derived from or incorporating Client Information.
(j) “Covered Person” means any natural person for whom information has been provided to BPM and who at any time is or was entitled
to benefits under the PROSPECTIVE CLIENT benefit plans administered by BPM.
(k) “Media” (including its cognate, “Medium”) means digital and non-digital physical devices or writing surfaces onto
which information is recorded, stored or printed, now or hereafter known or developed, including, without limitation,
paper, microfilm, diskettes, magnetic tapes, removable hard drives, flash drives, compact disks and mobile devices, including,
without limitation, laptops, smart phones, tablets, USB Drives and CD/DVD media.
(l) “Party” means BPM or Client, as appropriate, and its cognate “Parties” means both BPM and Client.
(m) “Person” includes any natural person and any partnership, limited partnership, limited liability partnership,
limited liability company, corporation, trust or any other form of legal entity.
(n) “Personal Data” means any information that can be used to identify, contact or locate an individual, an existing or potential employee or client of Client,
or any Covered Person, including, without limitation, first name or initial and last name, date of birth, mother’s maiden name,
unique biometric, Social Security Number, passport number, driver’s license or other state identification number, financial information,
health information, medical or dental identification number, health insurance identification number, employment information,
employer-assigned identification number, signature, personal web page, telephone number, home address, business address, other mailing address,
email address or online identifier associated with an individual, geographic location, IP address or similar identifier, MAC (media access control) address,
user ID, password, security question and answer, cookie information, profile and any other information relating to an individual, including usage and
traffic data.
(o) “Premises” means the premises of a party, as well as facilities operated, owned or leased by a party.
(p) “Processing” (including its cognates, “Process” and “Processed”) means any operation or set of operations that is performed upon assets,
including Client Assets, whether or not by automatic means, including, without limitation, acquiring, accessing, remotely accessing, collecting,
recording, copying, organizing, storing, maintaining, preserving, adapting, altering, developing, creating, modifying, retrieving, searching, consulting,
using, transmitting, messaging (including, without limitation, “texting,” emailing and chatting), disclosing,
disseminating, making available, aligning, combining, blocking, deleting, erasing, discarding, disposing of or destroying assets, including Client Assets.
(q) “Representatives” means: (1) the officers, directors, employees, consultants, contractors, subcontractors,
suppliers, service providers, agents, subsidiaries, affiliates, heirs, successors and assigns of a party,
(2) parties acting or purporting to act on behalf of a party, and
(3) parties under the direction or control of a party.
(r) “Security Incident” means: (1) any actual or reasonably suspected event that poses a risk to the security, confidentiality
or integrity of Client Assets, such as: (a) loss of, theft of, damage to or unauthorized Processing of property of Client, (2)
any actual or reasonably suspected unauthorized, unlawful or inadvertent Processing, corruption, transfer, sale, rental or lease of Client Assets,
(3) any other act or omission that compromises the security, confidentiality or integrity of Client Assets, or
(4) any circumstance pursuant to which applicable
law requires notification of such event to be given to affected parties or other activity in response to such circumstance.
(s) “Technical and Operational Security Measures and Policies” means security measures and policies designed to protect and prevent loss of,
theft of, damage to and unauthorized Processing of Client Assets, which measures shall be
appropriate and commensurate with the Client Assets being Processed and risk of a breach of the security, confidentiality or integrity of such Client Assets.
Standards; BPM’s Policies and Procedures
(a) BPM shall employ industry standard practices with respect to all of BPM’s responsibilities and obligations set forth in this Agreement,
including, without limitation, practices that equal or exceed industry standard practices identified by the International Organization for
Standardization’s standards: ISO/IEC 27001/27002, or a comparable industry standard, in order to ensure the security, confidentiality and integrity
of Client Assets.
(b) At any and all times, including throughout the term of this Agreement, during which BPM is Processing, which includes
accessing and remotely accessing, Client Assets, BPM represents and warrants that BPM shall: (1) employ appropriate,
reasonable and up-to-date Technical and Operational Security Measures and Policies to protect the security, confidentiality and integrity of Client Assets,
including, but not limited to the use of firewall protection, and physical and logical access controls, (2) upon Client’s request, provide evidence
that BPM has established and maintains Technical and Operational Security Measures and Policies, and (3) establish policies and procedures to,
upon Client’s request, provide all reasonable and prompt assistance to Client in responding to requests, complaints or other communications received
from a third party or from any individual who is or may be the subject of Personal Data Processed by BPM.
BPM’s Physical Security
(a) BPM shall maintain physical security standards designed to prohibit unauthorized physical access to BPM’s Premises.
(b) BPM shall limit physical access to BPM’s Premises to BPM's Representatives and authorized visitors with a need for such access.
(c) BPM will promptly terminate BPM’s Representative’s physical access to BPM’s Premises in the event of the resignation, death or termination of
employment, engagement or assignment of such Representative.
(d) BPM will periodically review access accounts to verify that access permissions are up-to-date and that stale accounts are terminated.
BPM’s Computer Environment
(a) BPM will ensure that BPM’s Computer Environment is protected from known vulnerabilities by adhering to industry standard practices, including, but not limited to:
(1) maintaining anti-virus and anti-malware software,
(2) adhere to standard patching as defined in BPM’s policy, which shall, at minimum, be reasonable, comply with law, and adhere to industry standards for third party providers of similar services, (3) monitoring BPM’s Computer Environment,
(4) logging events related to BPM’s Computer Environment, and
(5) scanning all email through use of spam and virus filters.
(b) BPM will implement a demilitarized zone (“DMZ”) to limit inbound and outbound traffic to only components of BPM’s Computer Environment that provide authorized publicly accessible services, protocols and ports,
and will restrict inbound and outbound traffic to that which is necessary for BPM’s performance under this Agreement.
(c) BPM agrees that Client shall not have any responsibility for ensuring the protection of BPM’s Computer Environment, including, without limitation,
BPM’s private internal network and information, and that BPM shall be entirely responsible for providing appropriate security measures to ensure protection
of BPM’s Computer Environment. Client agrees not to do anything to intentionally or inadvertently bypass security controls (e.g. sharing credentials,
uploading viruses to portal, etc.). BPM will identify and assess any vulnerabilities, risks and threats in software during the software lifecycle
(including, without limitation, during development, testing, implementation, maintenance, management and updates) through retirement of the software.
Remediation efforts will be based on these assessments.
BPM’s Contingency Planning
(a) BPM shall maintain a business continuity plan that addresses the possibility of a potential disruption of service, disaster, failure or
interruption of BPM’s respective ordinary business process, to ensure BPM can continue to fulfill BPM’s responsibilities and obligations under this Agreement. BPM synchronizes all applicable
systems to secondary data center and will work with operation teams to bring those systems back up in a timely manner in a facility of our choosing.
(b) BPM shall provide Client a copy of BPM’s current and then in effect business continuity plan, upon Client’s written request.
BPM’s Contingency Planning
(a) BPM shall maintain a business continuity plan that addresses the possibility of a potential disruption of service, disaster,
failure or interruption of BPM’s respective ordinary business process, to ensure BPM can continue to fulfill BPM’s responsibilities and
obligations under this Agreement. BPM synchronizes all applicable
systems to secondary data center and will work with operation teams to bring those systems back up in a timely manner in a facility of our choosing.
(b) BPM shall provide Client a copy of BPM’s current and then in effect business continuity plan, upon Client’s written request.
Access to Client Assets; Identification and Authentication Controls
(a) BPM shall ensure that the Processing of Client Assets is protected so that non- authorized parties cannot Process Client Assets.
(b) BPM uses role-based access to provide its Representatives access to the systems needed to Process. Access is removed as part of the termination process in accordance with the Account and Password Security Policy.
(c) BPM will implement strong password controls in compliance with its Account and Password Security Policy, which shall, at minimum, be reasonable, comply with law, and adhere to industry standards for third party providers of similar services.
Permissible Uses
(a) BPM hereby agrees: (1) not to Process (which includes, not to access or remotely access) Client Assets except as necessary to perform BPM’s obligations under this Agreement, and (2) to limit the Processing of Client Assets to BPM’s Representatives possessing a need-to- know for the purpose of BPM’s performance under this Agreement.
Client Assets in Transit; Remote Access
(a) At any and all times during which BPM is Processing (which includes accessing and remotely accessing) Client Assets, BPM will make use of strong transmission protection protocols in accordance with our Cryptography and Key Management Policy, which shall, at minimum, be reasonable, comply with law, and adhere to industry standards for third party providers of similar services.
(b) BPM shall encrypt (using key length/strength of not less than 256 bits) all Confidential Information and Personal Data, including all Confidential Information and Personal Data within BPM’s Computer Environment, in transit.
Client Assets in Storage
(a) BPM shall safely secure all Client Assets during storage.
(b) All Client Assets stored on portable laptops shall be encrypted.
(c) BPM will ensure that Client Assets are and will be stored on logically segmented databases or files and that access to such databases and files is restricted solely to authorized users of BPM.
(d) BPM does not currently store or have future intentions to store Client Assets in, or export Client Assets to, a location outside the United States.
Termination of Processing
(a) BPM agrees that BPM will continue to treat any Client Assets in BPM’s possession, custody or control as confidential, in accordance with the terms of this Agreement.
Incident and Response
In the event of a Security Incident, BPM shall: (a) immediately notify Client after obtaining actual knowledge of the Security Incident,
and (b) take all actions necessary to promptly determine the scope of the Security Incident and to prevent further breach of the security,
confidentiality and integrity of the applicable Client Assets, including, without limitation, by: (1) promptly contacting Client’s account
manager by phone and email, (2) at the sole cost and expense of BPM, timely issuing any disclosures and notifications to affected parties and
effecting any other remedial measures and/or actions as requested by Client and/or as required under applicable law, (3) providing Client with
periodic and regular updates following the occurrence of the Security Incident , (4) providing Client a written report describing the Security Incident,
actions taken by BPM during BPM’s response to the Security Incident, and actions BPM will take to prevent a similar Security Incident from occurring in
the future, and (5) convening a post mortem meeting with Client following the closure of the review of the Security Incident to discuss, and,
as necessary, adjust existing response procedures and implement additional revised protective measures.
Regulatory Compliance Requirements
(a) At any and all times during which BPM is Processing Client Assets, BPM represents and warrants that BPM shall comply and
maintain compliance, and shall cause its subcontractors and agents to comply and maintain compliance, with all applicable foreign or
domestic laws, rules, regulations, directives, ordinances, governmental restrictions, orders, judgments or decrees affecting,
involving or relating to the provision of products, services and/or other deliverables to Client, and any generally accepted industry
standards, directives or guidelines, or self-regulatory principles relating to privacy, data collection, storage, use, disclosure,
protection and security.
Client’s Data Security and Privacy Requirements
(a) BPM shall complete, execute and submit to Client when requested, at the sole cost and expense of BPM, an independent Statement
on Standards for Attestation Engagements No. 16 (“SSAE 16”) SOC 1 or comparable independent attestation to confirm BPM’s controls over
BPM’s processes.
Audit and Accountability
(a) Client reserves and shall have the right hereunder to:
(1) verify the performance of the services and the quality of any products or deliverables,
(2) assure compliance by BPM with the terms of this Agreement,
(3) investigate conduct that may be illegal or may adversely affect Client, and
(4) prevent unauthorized Processing of Client Assets. BPM shall cooperate with Client, and cause its representatives to cooperate with Client, and
provide Client with access to, and cause its Representatives to provide Client with access to, BPM’s and its Representatives Computer Environment and
other Processing systems as Client deems necessary in order to exercise its rights under this paragraph.
(b) BPM shall monitor all aspects of BPM’s Processing of, including the accessing and remote accessing of, Client Assets.
Third-Party Agreements
(a) During the term of this Agreement, BPM shall abide by and keep current all agreements that BPM has with third-party hosting centers,
which agreements shall be in writing and include terms and conditions to ensure BPM’s compliance with this Agreement. Notwithstanding anything
herein to the contrary, BPM and Client shall enter into the Business Associate Agreement attached as Exhibit B and incorporated herein by reference.
All of BPM’s obligations under this Section II shall also be in compliance with the terms of the BAA, and, in the event of any conflict or discrepancy
between the BAA and this Agreement, the more stringent terms shall apply with respect to protection, security, use or disclosure of Confidential
Information, Client Information, Personal Data and any other information received by BPM from Client, or created or received by BPM on behalf of Client.