SERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )

Similar documents
HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

HITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL

Qualified Security Assessor (QSA) Agreement

BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY

BUSINESS ASSOCIATE AGREEMENT

DATABASE AND TRADEMARK LICENSE AGREEMENT

PCI Security Standards Council, LLC Payment Card Industry Vendor Release Agreement

HIPAA DATA USE AGREEMENT

DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION

Site Access Agreement. (hereinafter referred to as the

Model Business Associate Agreement

RETS DATA ACCESS AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

VISA Inc. VISA 3-D Secure Authentication Services Testing Agreement

INTERNET ADVERTISING AGREEMENT. THIS AGREEMENT made as of this day of, 2004.

PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.

Connecticut Multiple Listing Service, Inc.

INDEPENDENT CONTRACTOR AGREEMENT

JOINT MARKETING AND SALES REFERRAL AGREEMENT

NON-TRANSFERABLE AND NON-EXCLUSIVE LICENSE AGREEMENT

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

END-USER LICENSE AGREEMENT

TRADEMARK LICENSE AGREEMENT

END USER LICENSE AGREEMENT

GPS & REMOTE DRUG / ALCOHOL OFFENDER MONITORING SERVICE PROVIDER AGREEMENT

Drive Trust Alliance Member Services Agreement

BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)

E-RATE CONSULTING AGREEMENT

Municipal Code Online Inc. Software as a Service Agreement

DOLPHIN SOFTWARE LICENSE AGREEMENT

WASHINGTON COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

EQUIPMENT LEASE ORIGINATION AGREEMENT

SITE LICENSE AGREEMENT FOR ISO 9001 EXPLAINED

GOODS & SERVICES AGREEMENT FOR ORDINARY MAINTENANCE. between the City of and

DAKOTA COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

Website Development Agreement

BRU FUEL AGREEMENT RECITALS

License Agreement. 1.4 Named User License A Named User License is a license for one (1) Named User to access the Software.

EMC Proven Professional Program

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

CASH MANAGEMENT SERVICES MASTER AGREEMENT

Telekom Austria Group Standard Data Processing Agreement

SPONSORSHIP AGREEMENT

DATA USE AGREEMENT RECITALS

BULK USER AGREEMENT RECITALS

HARRISBURG SCHOOL DISTRICT CONSULTING CONTRACT AGREEMENT

MDP LABS SERVICES AGREEMENT

SOUTHERN CALIFORNIA EDISON COMPANY ENERGY SERVICE PROVIDER SERVICE AGREEMENT

NON-EXCLUSIVE LICENSE FOR USE OF SCHOOL WORDMARKS AND LOGOS

ICB System Standard Terms and Conditions

ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)

DATA COMMONS SERVICES AGREEMENT

PAYMENT IN LIEU OF TAXES AGREEMENT

HOURLY CONSULTING TERMS AND CONDITIONS

CHAPTER AFFILIATION AGREEMENT

COMMERCIAL EVALUATION LICENSE AGREEMENT PURDUE RESEARCH FOUNDATION [ ] PRF Docket No.:

Auditor Commitment and Approval Form

LevCo technologies MASTER IT SERVICES AGREEMENT

Trust Italia S.p.A. OnSite SM Agreement

AMBASSADOR AGREEMENT

Security Agreement Assignment of Hedging Account (the Agreement ) Version

Client Order Routing Agreement Standard Terms and Conditions

AGREEMENT AND ASSIGNMENT OF RIGHTS. WHEREAS, the following are the recorded Restrictions for MYSTIC SHORES:

ANNOTATION SDK/ACTIVEX DEVELOPMENT LICENSE AGREEMENT

SOFTWARE END USER LICENSE AGREEMENT (Load Systems Software and Firmware)

EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS

JW PLASTIC SURGERY. Terms of Service

GENERAL APPLICATION AND AGREEMENT OF INDEMNITY CONTRACTORS FORM

!! 1 Page! 2014 PEODepot. All rights reserved. PEODepot and peodepot.com are trademarks of PEODepot. INITIAL! BROKER AGREEMENT

GENERAL APPLICATION AND AGREEMENT OF INDEMNITY CONTRACTORS FORM

AGILE RISK MANAGEMENT LLC MASTER SOFTWARE LICENSE AGREEMENT

2D BARCODE SDK/ACTIVEX SERVER APPLICATION DEVELOPMENT LICENSE AGREEMENT

MATERIALS TRANSFER AND EVALUATION LICENSE AGREEMENT. Carnegie Mellon University

ENT CREDIT UNION ELECTRONIC DEPOSIT AGREEMENT

TRADEMARK LICENSE AGREEMENT

USA VOLLEYBALL MEMBER CLUB LOGO USE AGREEMENT. (a) Logo is the USAV Member Club logo as specified in Exhibit A.

SPONSORSHIP APPLICATION Pointe Hilton Squaw Peak Resort - Phoenix, Arizona February 17 19, 2017

CONTACT INFORMATION SECTION 1: SPONSORSHIP OPPORTUNITIES. Company Name: Primary Contact Person: Price Quantity Total

Home Foundation Subcontractor Services Agreement

COLOR PRINTER DRIVER FOR WINDOWS 10/8/7/Vista 32-bit and 64-bit LICENSE AGREEMENT

CASH MANAGEMENT MASTER AGREEMENT

THE DAVID J. JOSEPH COMPANY USER ADMINISTRATOR AGREEMENT FOR SCRAPCONNECT

LICENSE AGREEMENT RECITALS

SaaS Software Escrow Agreement [Agreement Number EL ]

Agreement for Net Metering and Interconnection Services (Level 1, 2 and 3 Interconnection)

NON-DISCLOSURE AGREEMENT

OTTO Archive, LLC CONTENT LICENSE AGREEMENT

ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC

Data Licensing Agreement

PUBLICATIONS SUBSCRIPTION AND ACCESS AGREEMENT TERMS & CONDITIONS FOR SUBSCRIBERS TO THE ELECTRONIC PUBLICATIONS

Remote Support Terms of Service Agreement Version 1.0 / Revised March 29, 2013

the Notices section below.

South Carolina Department of Motor Vehicles

Data Processing Agreement

SERVICE REFERRAL AGREEMENT

PROPOSAL SUBMISSION AGREEMENT

usdrp DISPUTE PROVIDER AGREEMENT (Approved by the U. S. Dept. of Commerce on February 21, 2002)

FINANCIAL PLANNING AGREEMENT

TECHNOLOGY CONSULTING AGREEMENT

Transcription:

SERVICE PROVIDER SECURITY AGREEMENT Clemson University ( Clemson ) and Vendor Name Here. ( Service Provider ) This Service Provider Security Agreement (this Agreement ) effective as of (the Effective Date ), is entered into by Clemson University, and ("Service Provider"). WHEREAS, Service Provider is currently providing services to Clemson under existing contracts or agreements, whether written or oral, and may enter into future contracts or agreements, whether written or oral, with Clemson (the Underlying Contracts ); WHEREAS, Service Provider may have access to, receive, maintain, process or transmit Cardholder Data, as necessary for Service Provider to perform its obligations under the Underlying Contracts; WHEARAS, Service Provider acknowledges its responsibility for the security of cardholder data that Service Provider possesses or stores, processes, or transmits on behalf of cardholders; WHEREAS, in order to comply with their obligations under the Payment Card Industry Data Security Standard, the parties wish to enter into this Service Provider Security Agreement to govern Service Provider s use, or access to, Cardholder Data and implement appropriate safeguards for the security of Cardholder Data under all of the Underlying Contracts; NOW THEREFORE, in consideration of the promises and mutual covenants and agreements of the parties as set forth herein, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows: 1. DEFINITIONS. For purposes of this Agreement: 1.1 Administrative Safeguards shall mean administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect Cardholder Data and to manage the conduct of Service Provider s workforce in relation to the protection of that Cardholder Data. 1.2 Attestation of Compliance (AOC) Shall mean a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on Compliance. 1.3 Card Brands shall mean Master Card, Visa, American Express, Discover and JCB. 1.4 Cardholder Data (CHD) shall mean any personally-identifiable data associated with a cardholder s payment that is processed, stored, or transmitted by the Service Provider on behalf of Clemson. Examples include but are not limited to: primary account number, expiration date, card type, name, address, social security number, and card validation code. 1.5 Cardholder Data Environment (CDE) shall mean an interconnected set of information resources or systems under the direct management and control of the Service Provider that store, process, or transmit CHD or any system that provides security to a system that processes, stores, or transmits CHD. A system normally includes hardware, software, information, data, applications, communication, and people. Page 1

1.6 Payment Card Industry Data Security Standard (PCI DSS) shall mean a baseline set of technical and operational requirements designed to protect CHD that are amended and released from time to time by the Payment Card Industry Security Standards Council. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit CHD. 1.7 Payment Card Industry Security Standards Council (PCI SSC) shall mean the Payment Card Industry Security Standards Council a global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for CHD protection. 1.8 Physical Safeguards shall mean physical measures, policies, and procedures to protect the Service Provider s CDE and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. 1.9 QSA shall mean a Qualified Security Assessor as defined by the PCI SSC and listed on the council s listed of qualified assessors. 1.10 Report on Compliance (ROC) shall mean a report documenting detailed results from an entity s PCI DSS assessment and provided to the Card Brands and performed by a PCI SSC QSA. 1.11 Security Safeguards shall mean all of the Administrative, Physical, and Technical Safeguards in the CDE. 1.12 Security Incident shall mean the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. 1.13 Technical Safeguards shall mean the technology and the policy and procedures for its use that protect CHD and control access to it. Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Payment Card Industry Data Security Standard, as applicable. 2. OBLIGATIONS AND ACTIVITIES OF SERVICE PROVIDER 2.1 Service Provider agrees to only use Clemson s CHD as permitted or required by this Agreement or as required by law. 2.2 Service Provider agrees to use appropriate safeguards to maintain the security of the CHD and to prevent unauthorized use or disclosure of CHD, which will in no event be any less than the stricter of any applicable PCI DSS security standards or the means which Service Provider uses to protect its own confidential information. Service Provider agrees to implement Security Safeguards that reasonably and appropriately protect the confidentiality of the CHD that Service Provider receives, transmits, processes, or stores on behalf of Clemson. 2.3 Service Provider agrees to promptly report to Clemson any use or disclosure of CHD that is not permitted by this Agreement or of any Security Incident of which Service Provider becomes aware as soon as reasonably possible and in any event within five (5) days of the date on which it becomes aware of the use/disclosure. 2.4 Service Provider agrees to ensure that any agent, including an authorized subcontractor, that receives, uses, or has access to CHD in the performance of the Underlying Contracts agrees, in writing, to the same restrictions and conditions on the use and/or disclosure of such CHD that apply to Service Provider through this Agreement. 2.5 Service Provider, at its sole expense, agrees to mitigate, to the extent practicable, any harmful effect that is known to Service Provider of a use or disclosure of CHD by Service Provider in violation of the requirements of this Agreement. Page 2

2.6 Service Provider shall secure all CHD that is maintained by Service Provider by a technology standard that renders CHD unusable, unreadable, or indecipherable to unauthorized individuals that is consistent with guidance suggested by the PCI DSS. 2.7 Service Provider shall maintain at all times a current PCI DSS security standards assessment as required according to the Card Brands level of service provider. If the Service Provider operates as a Level 1 Service Provider, the Service Provider agrees to provide Clemson, at least annually or on written request, an executive summary of the Service Provider s current ROC and an AOC signed by a duly authorized officer of the Service Provider. For all other Service Provider levels, the Service Provider shall provide Clemson, at least annually or on written request, with an AOC signed by a duly authorized officer of the Service Provider. 2.8 Service provider agrees to make available to Clemson at least annually all material relevant to its compliance with PCI DSS with respect to CHD for monitoring by Clemson consistent with sections 12.8.4 of PCI DSS. 3. PERMITTED USES AND DISCLOSURES BY SERVICE PROVIDER 3.1 Service Provider may use CHD only as follows: a. Except as otherwise limited in this Agreement, Service Provider may use CHD as necessary to perform functions, activities, or services for Clemson as specified in the Underlying Contracts, provided that such use or disclosure would not violate any applicable laws. b. Service Provider will not permit the disclosure of CHD to any person or entity other than such of its employees, agents, or subcontractors who must have access to the CHD in order for Service Provider to perform its obligations under an Underlying Contract. 3.2 All other uses or disclosures of CHD not authorized by this Agreement are prohibited. 4. OBLIGATIONS OF CLEMSON Clemson agrees to timely notify Service Provider of any changes to Clemson s privacy or security practices on the use of CHD applicable to or accepted by Clemson to the extent that such changes or restrictions may impact Service Provider s use of any CHD. 5. TERM AND TERMINATION 5.1 Term. This Agreement shall be effective as of the Effective Date and shall continue in effect until terminated as provided in Section 5.2 or until all of the CHD provided by Clemson to Service Provider, or created or received by Service Provider on behalf of Clemson, is destroyed or returned to Clemson. 5.2 Termination For Cause. In the event Clemson determines that Service Provider has committed a material breach of this Agreement, Clemson may either: (i) provide an opportunity for Service Provider to cure the breach or end the violation, provided that Clemson may immediately terminate any Underlying Contracts that require the use of CHD if Service Provider does not cure the breach or end the violation within the time frame specified by Clemson; (ii) immediately terminate any Underlying Contracts if Service Provider has breached a material term of this Agreement and Clemson determines in its sole discretion that a cure is not possible. 5.3. Effect of Termination. Upon the termination, for any reason, of this Agreement or an Underlying Contract with the Service Provider, Service Provider will promptly return to Clemson or, at Clemson s sole option, destroy any CHD in its possession or control, or in the possession or control of its agents or subcontractors, and will retain no copies of such CHD. Upon Clemson s request, Service Provider shall certify to Clemson that all CHD in its possession or control, or in the possession or control of is agents or subcontractors, has been returned or destroyed as required by this Agreement. Any right or license that Service Provider has to use the CHD will terminate immediately upon the termination of this Agreement or the Underlying Contract Page 3

allowing its use. 6. INDEMNIFICATION Service Provider agrees to indemnify, defend, and hold harmless Clemson, and its employees and agents, against any loss, claim, damage, or liability, including any fines or penalties and reasonable and direct costs associated with notifications to affected individuals and credit monitoring and protection services if and to the extent proximately caused by a breach of this Agreement by Service Provider or resulting from any unauthorized access, disclosure, or use of any data maintained by or on behalf of Service Provider for Clemson under the Underlying Contract. 7. RIGHT TO INJUNCTIVE RELIEF Service Provider expressly acknowledges and agrees that the breach, or threatened breach, by it of any provision of this Agreement may cause Clemson to be irreparably harmed and that Clemson may not have an adequate remedy at law. Therefore, Service Provider agrees that upon such breach, or threatened breach, Clemson will be entitled to seek injunctive relief to prevent Service Provider from commencing or continuing any action constituting such breach without having to post a bond or other security and without having to prove the inadequacy of any other available remedies. Nothing in this paragraph will be deemed to limit or abridge any other remedy available to Clemson at law or in equity. 8. MISCELLANEOUS 8.1 Regulatory References. Any reference in this Agreement to a section in the PCI DSS means the section as in effect at the time or as amended from time to time by the PCI SSC. 8.2 Survival. The respective rights and obligations of Service Provider and Clemson under Section 5.3 and 6 of this Agreement will survive the termination of this Agreement. 8.3 Other Confidentiality Obligations. The parties acknowledge that this Agreement is intended to supplement any and all other confidentiality obligations that either party may have under this or any other agreement or applicable law. 8.4 Underlying Contracts. The terms of this Agreement will govern the use of CHD under any Underlying Contract. Except as specified herein, all other terms of an Underlying Contract will continue in full force and effect. In the event of any conflict among the provisions of this Agreement and the Underlying Contract, the provisions of this Agreement will control. 8.5 Amendment. This Agreement may only be modified, or any rights under it waived, by a written agreement executed by both parties. The parties agree to amend this Agreement from time to time as is necessary for Clemson to comply with the requirements of the of PCI DSS, and any current or future security standards promulgated thereunder. 8.6 Interpretation. Any ambiguity in this Agreement will be resolved to permit Clemson to comply with the PCI DSS and any current or future security standards promulgated thereunder. 8.7 Waiver. Any failure of a party to exercise or enforce any of its rights under this Agreement will not act as a waiver of such rights. 8.8 Notice. Except as otherwise specified in this Agreement, any notice or requests for information to Clemson or Service Provider under this Agreement shall be sent to: CLEMSON: With a copy to: Procurement Services Cash and Treasury Services Administrative Services Building Administrative Services Building 108 Perimeter Rd. 108 Perimeter Rd. Clemson, SC 29634 Clemson, SC 29634 Page 4

SERVICE PROVIDER: Address: Telephone: Fax: Email: The notice provisions set forth in the Underlying Agreement, if any, shall continue in full force and effect with respect to all other notices arising under the Underlying Agreement. 8.9 Binding Effect. The agreement shall be binding upon, and shall inure to the benefit of, the parties and their respective successors and permitted assigns. 8.10 Severability. If any provision of this Agreement is held by a court of competent jurisdiction to be illegal, invalid, or unenforceable under present or future laws effective during the term of this Agreement, the legality, validity, and enforceability of the remaining provisions shall not be affected thereby. 8.11 Counterparts. This Agreement may be executed in counterparts, each of which shall be deemed an original but all of which shall constitute on and the same instrument. IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf. CLEMSON UNIVERSITY (Place Vendor Name Here) By: Print Name: Print Title: Date: By: Print Name: Print Title: Date: Page 5

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback