This Vendor Data Security Agreement (this “Agreement”) is a binding agreement between Universal Weather and Aviation, Inc. (“UWA”) and its vendors that receive UWA Data (as defined below) from UWA (each, a “Vendor”).
- Definitions. For purposes of this Agreement, the following terms have the following meanings:
“Data Law” means any applicable law, rule, regulation, directive, or decree issued or enacted by any local, state, provincial, national, or supra-national government, court, agency, or authority, relating to data security or privacy.
“Personal Data” means any data that: (i) can be used, alone or in connection with other information, to identify an individual; or (ii) is otherwise subject to any applicable privacy or data laws regarding personal data. For the avoidance of doubt, Personal Data includes, but is not limited to, all “nonpublic personal information,” as defined under the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), “protected health information” as defined under HIPAA, and “personal data” as that term is defined in EU Directive 95/46/EC, the EU General Data Protection Regulation 2016/679 (the “GDPR”), and the EU-US Privacy Shield Framework.
“Process” means to use, disclose, store, modify, or otherwise process.
“Remediation Efforts” means activities designed to respond to and remedy a Security Incident, including without limitation: (i) creation and delivery of notices to affected individuals and entities; (ii) establishment and operation of toll-free or dedicated telephone numbers for affected individuals to receive information and assistance; (iii) procurement of credit monitoring, credit or identity repair services, and identity theft insurance for affected individuals; (iv) cooperation with regulatory, government and/or law enforcement inquiries and other similar actions; (v) investigating such Security Incident; (vi) public relations and other crisis management strategies; and (vii) cooperation in any litigation regarding such Security Incident; and in each case of examples (i) through (vii), payment of legal costs, disbursements, fines, settlements and damages.
“Security Incident” means the loss of, or unauthorized Processing of, UWA Data.
“Security Measures” means all appropriate technical and organizational measures to ensure the security of any Personal Data, including as appropriate and without limitation: (a) the anonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (c) ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. For purposes of this definition, “appropriate” means commercially reasonable based on an assessment of the sensitivity of the Personal Data and the corresponding risk of any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access thereto or thereof.
“UWA Data” means all data or information, including Personal Data, that is provided by or on behalf of UWA or its affiliates to Vendor, or is otherwise obtained, developed, produced or Processed by Vendor or its agents or contractors, together with any derivatives of the foregoing, in any medium or format. UWA Data excludes any data or information that is expressly defined as owned by Vendor.
- Ownership. As between Vendor and UWA, UWA is the sole owner of all rights, title and interest in and to UWA Data. No right, title, license, or other interest of any kind in or to any UWA Data is granted to Vendor, and Vendor will not Process any UWA Data except as expressly authorized. The parties agree that UWA is the “data controller” and Vendor is the “data processor” for purposes of any Data Law. Vendor will assist UWA, by appropriate technical and organizational measures, in fulfilling UWA’s responsibilities as a data controller under Data Laws, including (i) UWA’s obligation to respond to requests made by data subjects and (ii) those arising pursuant to Articles 32 to 36 of the GDPR (relating to data security, breach notification, and impact assessments).
- Compliance and Personnel. Vendor represents and warrants that: (i) it and its employees, agents, and contractors are and will remain at all times in compliance with all Data Laws; (ii) neither it nor its employees, agents, or contracts have been involved in any violation of Data Laws in the three years prior to the date of this Agreement. Vendor will ensure that any personnel authorized to Process the Personal Data are bound by appropriate obligations of confidentiality, and that such personnel do not Process any Personal Data except in accordance with UWA’s documented instructions. Vendor will: (a) not contract with any third parties for the Processing of any Personal Data without UWA’s prior written authorization; (b) ensure that any authorized contract imposes on such third party the same data protection obligations set forth in this Agreement; and (c) be fully liable for the acts and omissions of such third party to the same extent as if they were Vendor’s own acts and omissions.
- Security and Deletion of Data. Vendor will ensure that the Security Measures are fully implemented. Vendor will, at UWA’s request, delete or return to UWA all Personal Data after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of such Personal Data.
- Security Reviews and Audits. Vendor will make available to UWA all information reasonably necessary to demonstrate compliance with this Agreement. Vendor will, upon request, provide UWA with reports of any audits performed on Vendor’s Security Policies and Controls. Vendor will respond within a reasonable time period to any inquiries from UWA relating to Vendor’s and Vendor’s agents’ and contractors’ Security Policies and Controls. Vendor will, upon UWA’s request, provide UWA or UWA’s representatives access to Vendor’s and Vendor’s agents’ and contractors’ systems and records that involve or are related to any Processing of UWA Data so that an audit may be conducted. UWA will not exercise such audit right more frequently than once per 12 month period and UWA will bear the full cost and expense of any such audit, unless such audit discloses a Security Incident or a breach of this Agreement, in which case Vendor will bear the full cost and expense of such audit and a further audit may be conducted by UWA or UWA’s representatives within the current 12 month period.
- Security Incidents. Vendor will promptly notify UWA upon learning of a Security Incident, and will consult in good faith with UWA regarding Remediation Efforts that may be necessary and reasonable. Vendor will (i) at UWA’s direction undertake Remediation Efforts at Vendor’s sole expense and reimburse UWA for UWA’s reasonable costs and expenses in connection with any Remediation Efforts it elects to undertake, (ii) ensure that such Remediation Efforts provide for, without limitation, prevention of the recurrence of the same type of Security Incident, and (iii) reasonably cooperate with any Remediation Efforts undertaken by UWA.
- Liability for Security Incidents and/or Data Misuse. Vendor will indemnify, defend and hold harmless UWA, its affiliates, and each of their officers, shareholders, directors, employees, agents and customers from and against any losses, damages, liabilities, judgments, awards, penalties, costs or expenses, including reasonable attorneys’ fees (“Losses”) incurred as a result of any claim, demand, suit, action, or other proceeding arising out of or relating to: (i) any Security Incident (unless caused by UWA’s acts or omissions); or (ii) Vendor’s its employees’, agents’ or contractors’ breach of this Agreement. For the purposes of this Section, Losses will include, without limitation, the cost of Remediation Efforts. Vendor’s obligations in this Section are in addition to any indemnification or similar obligations Vendor may have. The rights and remedies of UWA under this Agreement will not be subject to any limitation or exclusion of actions or remedies or any other similar limiting provisions. Vendor acknowledges that UWA may have no adequate remedy at law for a breach or threatened breach of this Agreement and that UWA may, in addition to any legal or other remedies available to UWA, seek injunctive or other equitable relief to prevent or remedy such breach.
- Notice to UWA Customers and Employees. Vendor will not contact UWA customers or employees regarding any Security Incident unless legally obligated to do so, in which case Vendor will: (i) first notify UWA in writing; and (ii) limit the notices to the individuals, entities, and information required by the legal obligation or as pre-approved by UWA.