Vendor Data Security Agreement

This Vendor Data Security Agreement (this “Agreement”) is a binding agreement between Universal Weather and Aviation, Inc. (“UWA”) and its vendors that receive UWA Data (as defined below) from UWA (each, a “Vendor”).

  1. Definitions. For purposes of this Agreement, the following terms have the following meanings:

    Data Law” means any applicable law, rule, regulation, directive, or decree issued or enacted by any local, state, provincial, national, or supra-national government, court, agency, or authority, relating to data security or privacy.

    Personal Data” means any data that: (i) can be used, alone or in connection with other information, to identify an individual; or (ii) is otherwise subject to any applicable privacy or data laws regarding personal data. For the avoidance of doubt, Personal Data includes, but is not limited to, all “nonpublic personal information,” as defined under the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.), “protected health information” as defined under HIPAA, and “personal data” as that term is defined in EU Directive 95/46/EC, the EU General Data Protection Regulation 2016/679 (the “GDPR”), and the EU-US Privacy Shield Framework.

    Process” means to use, disclose, store, modify, or otherwise process.

    Remediation Efforts” means activities designed to respond to and remedy a Security Incident, including without limitation: (i) creation and delivery of notices to affected individuals and entities; (ii) establishment and operation of toll-free or dedicated telephone numbers for affected individuals to receive information and assistance; (iii) procurement of credit monitoring, credit or identity repair services, and identity theft insurance for affected individuals; (iv) cooperation with regulatory, government and/or law enforcement inquiries and other similar actions; (v) investigating such Security Incident; (vi) public relations and other crisis management strategies; and (vii) cooperation in any litigation regarding such Security Incident; and in each case of examples (i) through (vii), payment of legal costs, disbursements, fines, settlements and damages.

    Security Incident” means the loss of, or unauthorized Processing of, UWA Data.

    Security Measures” means all appropriate technical and organizational measures to ensure the security of any Personal Data, including as appropriate and without limitation: (a) the anonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (c) ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. For purposes of this definition, “appropriate” means commercially reasonable based on an assessment of the sensitivity of the Personal Data and the corresponding risk of any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access thereto or thereof.

    UWA Data” means all data or information, including Personal Data, that is provided by or on behalf of UWA or its affiliates to Vendor, or is otherwise obtained, developed, produced or Processed by Vendor or its agents or contractors, together with any derivatives of the foregoing, in any medium or format. UWA Data excludes any data or information that is expressly defined as owned by Vendor.
  2. Ownership. As between Vendor and UWA, UWA is the sole owner of all rights, title and interest in and to UWA Data. No right, title, license, or other interest of any kind in or to any UWA Data is granted to Vendor, and Vendor will not Process any UWA Data except as expressly authorized. The parties agree that UWA is the “data controller” and Vendor is the “data processor” for purposes of any Data Law. Vendor will assist UWA, by appropriate technical and organizational measures, in fulfilling UWA’s responsibilities as a data controller under Data Laws, including (i) UWA’s obligation to respond to requests made by data subjects and (ii) those arising pursuant to Articles 32 to 36 of the GDPR (relating to data security, breach notification, and impact assessments).
  3. Compliance and Personnel. Vendor represents and warrants that: (i) it and its employees, agents, and contractors are and will remain at all times in compliance with all Data Laws; (ii) neither it nor its employees, agents, or contracts have been involved in any violation of Data Laws in the three years prior to the date of this Agreement. Vendor will ensure that any personnel authorized to Process the Personal Data are bound by appropriate obligations of confidentiality, and that such personnel do not Process any Personal Data except in accordance with UWA’s documented instructions. Vendor will: (a) not contract with any third parties for the Processing of any Personal Data without UWA’s prior written authorization; (b) ensure that any authorized contract imposes on such third party the same data protection obligations set forth in this Agreement; and (c) be fully liable for the acts and omissions of such third party to the same extent as if they were Vendor’s own acts and omissions.
  4. Security and Deletion of Data. Vendor will ensure that the Security Measures are fully implemented. Vendor will, at UWA’s request, delete or return to UWA all Personal Data after the end of the provision of services relating to Processing, and delete existing copies unless applicable law requires storage of such Personal Data.
  5. Security Reviews and Audits. Vendor will make available to UWA all information reasonably necessary to demonstrate compliance with this Agreement. Vendor will, upon request, provide UWA with reports of any audits performed on Vendor’s Security Policies and Controls. Vendor will respond within a reasonable time period to any inquiries from UWA relating to Vendor’s and Vendor’s agents’ and contractors’ Security Policies and Controls. Vendor will, upon UWA’s request, provide UWA or UWA’s representatives access to Vendor’s and Vendor’s agents’ and contractors’ systems and records that involve or are related to any Processing of UWA Data so that an audit may be conducted. UWA will not exercise such audit right more frequently than once per 12 month period and UWA will bear the full cost and expense of any such audit, unless such audit discloses a Security Incident or a breach of this Agreement, in which case Vendor will bear the full cost and expense of such audit and a further audit may be conducted by UWA or UWA’s representatives within the current 12 month period.
  6. Security Incidents. Vendor will promptly notify UWA upon learning of a Security Incident, and will consult in good faith with UWA regarding Remediation Efforts that may be necessary and reasonable. Vendor will (i) at UWA’s direction undertake Remediation Efforts at Vendor’s sole expense and reimburse UWA for UWA’s reasonable costs and expenses in connection with any Remediation Efforts it elects to undertake, (ii) ensure that such Remediation Efforts provide for, without limitation, prevention of the recurrence of the same type of Security Incident, and (iii) reasonably cooperate with any Remediation Efforts undertaken by UWA.
  7. Liability for Security Incidents and/or Data Misuse. Vendor will indemnify, defend and hold harmless UWA, its affiliates, and each of their officers, shareholders, directors, employees, agents and customers from and against any losses, damages, liabilities, judgments, awards, penalties, costs or expenses, including reasonable attorneys’ fees (“Losses”) incurred as a result of any claim, demand, suit, action, or other proceeding arising out of or relating to: (i) any Security Incident (unless caused by UWA’s acts or omissions); or (ii) Vendor’s its employees’, agents’ or contractors’ breach of this Agreement. For the purposes of this Section, Losses will include, without limitation, the cost of Remediation Efforts. Vendor’s obligations in this Section are in addition to any indemnification or similar obligations Vendor may have. The rights and remedies of UWA under this Agreement will not be subject to any limitation or exclusion of actions or remedies or any other similar limiting provisions. Vendor acknowledges that UWA may have no adequate remedy at law for a breach or threatened breach of this Agreement and that UWA may, in addition to any legal or other remedies available to UWA, seek injunctive or other equitable relief to prevent or remedy such breach.
  8. Notice to UWA Customers and Employees. Vendor will not contact UWA customers or employees regarding any Security Incident unless legally obligated to do so, in which case Vendor will: (i) first notify UWA in writing; and (ii) limit the notices to the individuals, entities, and information required by the legal obligation or as pre-approved by UWA.
  • Helping you keep your organization moving.

    Our people around the globe.

    Learn more →
  • Explore operational insights from our blog.

    • The Best Business Aviation Conferences for 2019
      by Anabel Monson on February 13, 2019 at 15:00

      Here are some of the biggest and best conferences for business aviation that should be on your radar for 2019. The post The Best Business Aviation Conferences for 2019 appeared first on Universal® Operational Insight Blog. […]

    • BizAv Planning Tips: London Fashion Week
      by Jason Hayward on February 6, 2019 at 15:00

      London Fashion Week is held twice a year, in both fall and spring, and its part of the “Big 4” international fashion weeks. It brings the who’s who of the fashion world to London, together with a large quantity of business jets in supporting roles. This season’s event—debuting the... The post BizAv Planning Tips: London Fashion Week appeared first on Universal® Operational Insight Blog. […]

    • Chairman’s Note * Air Culinaire Worldwide Launches New App
      by Greg Evans on February 6, 2019 at 14:33

      The new Air Culinaire Worldwide app allows you to access and download all our global menus and gives you in-flight catering tools and culinary resources on things like food safety and local cuisines – even when Wi-Fi isn't available. The post Chairman’s Note * Air Culinaire Worldwide Launches New App appeared first on Universal® Operational Insight Blog. […]

    • Lunar New Year – How it impacts business aviation ops
      by Alan Pong on January 31, 2019 at 02:00

      Lunar New Year (also known as Chinese New Year) has a huge impact on business aviation in terms of airport congestion and sold-out hotels/services throughout much of Asia. This year's Lunar New Year holiday takes place from Feb. 4-10, 2019. But congestion and service limitations are likely to start as soon as January 30th and continue through February 11th... The post Lunar New Year – How it impacts business aviation ops appeared first on Universal® Operational Insight Blog. […]