Standard Information Security Clause
1. Information Security Requirements
1.1. In this clause “Customer Data” shall mean the data and other information (in whatever form or medium held) provided to the Czarnikow Group Limited by, or on behalf of, Intellync or generated for Intellync by or on behalf of the Czarnikow Group Limited in connection with this Agreement and “IT Resources” shall mean firewalls, routers, servers, personal computers, peripherals and all other information technology equipment or assets used or managed by or on behalf of the Czarnikow Group Limited in connection with the provision of services to Intellync.
1.2. Without prejudice to its other obligations under this Agreement and all applicable data protection and information security laws, the Czarnikow Group Limited shall implement and maintain such appropriate technical and organisational measures to protect the Customer’s Data against unauthorised or unlawful processing and accidental destruction, damage or loss and to maintain at all times the ongoing confidentiality, integrity, availability and resilience of the Customer Data. This shall include, but not be limited to, the Czarnikow Group Limited:
1.2.1. keeping its IT Resources up-to-date with patches or other updates that improve or enhance security;
1.2.2. performing regular tests (at least once every three months) of its IT Resources to detect any information security vulnerabilities, including patch management, port scanning and virus scanning;
1.2.3. continuous monitoring and logging of IT Resources for signs of potential unauthorised or malicious activity;
1.2.4. procuring, at least once in every twelve-month period, an independent third party with appropriate industry experience and accreditation to perform penetration tests to assess its IT Resources for information security vulnerabilities;
1.2.5. addressing any critical and high-risk vulnerabilities immediately and other vulnerabilities within a reasonable timeframe; and
1.2.6. where a subcontractor or other third party appointed by the Czarnikow Group Limited has access to or processes or handles Customer Data (to the extent permitted under the terms of this Agreement or with the prior written consent of Intellync): (i) conducting an information security risk assessment of any such third party to ensure that it will act in accordance with the information security principles of this Agreement; and (ii) ensuring that information security obligations that are the same or no less stringent as those imposed on the Czarnikow Group Limited under this Agreement are imposed by contract on the third party; and
1.2.7. maintaining compliance with, and providing the Services in accordance with, security standard ISO/IEC27002.
1.3. The Czarnikow Group Limited shall share the results of any testing carried out under Clause 1.2 with Intellync on request or on such regular intervals as required by Intellync.
1.4. On expiry or termination of this Agreement the Czarnikow Group Limited shall, at the choice of Intellync, either promptly and securely return the Customer Data to Intellync and/or (unless its continued storage by the Czarnikow Group Limited is required by law) promptly and securely delete the Customer Data.
1.5. The Czarnikow Group Limited shall notify Intellync without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to the Customer Data and shall provide such information, access and assistance to Intellync (or its nominated
third party) as Intellync may reasonably require, and within the timescales reasonably specified by Intellync, for the investigation and resolution of the incident.
2. Compliance and Audit
2.1. The Czarnikow Group Limited shall, upon request, provide Intellync with evidence of compliance with Clause 1 (Information Security Requirements) and/or any security audit reports produced by or for it.
2.2. At reasonable times and on reasonable notice, Intellync or its nominated third parties may conduct audits and security risk assessments to assess the Czarnikow Group Limited’s compliance with Clause 1 (Information Security Requirements). The Czarnikow Group Limited shall ensure access to its premises, records and personnel in order to assist with any such audits.