Data Security - Exhibit A
Last Updated April 2023.
DATA SECURITY EXHIBIT
In the course of providing the Services, Utilimarc may collect, transfer, store and use Client Data (as defined and as permitted in the Agreement) that is provided to, collected by or made accessible to Utilimarc. For these purposes, Client Data may be transferred to or be accessible to: (i) Utilimarc personnel as is required to perform the Services in accordance with the Agreement; (ii) third parties where required by law (including, but not limited to, courts, law enforcement, or regulatory authorities), provided Utilimarc will provide reasonable notice to Client prior to any such disclosure if legally permissible; and (iii) others who are providing services pursuant to the Agreement.
Utilimarc shall maintain internal company wide policies and procedures addressing the secure storage and handling of Client Data.
Information Security Management Program
Utilimarc has developed, documented, approved, and implemented IT security policies and/or procedures that include reasonable administrative, technical, and physical safeguards to protect assets and Client Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Such security policies and procedures address, but are not limited to, the following areas:
- Risk management
- Written security policy
- Human resources security
- Compliance to policies
- Vendor management
- Access control
- Operations security
- Network security
- Information security incident response
- Disaster recovery
Utilimarc management reviews IT security at planned intervals or as a result of changes to the organization to ensure its continuing effectiveness and accuracy.
In the course of providing the Services for Client, Utilimarc shall do the following:
- Designate security and privacy personnel responsible for the development and implementation of the IT security policies and procedures;
- Implement reasonably appropriate technical safeguards designed to protect the security and integrity of Client Data, such as firewalls, intrusions detection systems, multi-factor authentication, logging and monitoring systems, anti-virus software, access control systems, and encryption;
- Restrict access to Client Data to approved users who have a need to access such Client Data to perform Utilimarc’s obligations under the Agreement;
- In a reasonably timely manner, de-provision, revoke, or modify user access to Utilimarc’s systems, information assets and Client Data upon any change in status of employees, contractors, or business partners. A change in status includes termination of employment or contract, change of employment, or transfer within the organization.
- Maintain policies for data retention, purging, and storage, and backup/redundancy mechanisms; and
- Implement reasonable physical and security safeguards to restrict access to Client Data.
Utilimarc shall have a defined and documented disaster recovery policy for technology disaster recovery.
Such policy shall:
- Document a plan for Utilimarc’s recovery from an unforeseen disaster or emergency which interrupts information systems and business operations;
- Provide for reasonable physical protection against damage from deliberate attacks as well as natural causes and disasters; and
- Identify an appropriate backup strategy to include redundancies and durable storage infrastructure to permit restoration of the Services with a maximum recovery time objective of not more than 24 hours from declaration of a disaster.
- Utilimarc shall ensure security mechanisms and redundancies are implemented to reasonably protect equipment from utility service outages (e.g., power failures, network disruptions, etc.).
- Utilimarc shall conduct a compliance review of such policy each year. Client may request a high level summary of the results of such review.
Security Incident Response
Utilimarc will maintain information security incident response procedures to respond to Security Incidents within the Cloud Services. Utilimarc shall provide timely notification to Client of Security Incidents after becoming aware of an actual Security Incident involving Client Data. Timely notification is defined as providing notice to Client as soon as reasonably practicable and without undue delay after Utilimarc became aware of the Security Incident. Utilimarc will respond to, contain and remediate Security Incidents, using commercially reasonable efforts, on a continuous basis. A “Security Incident” is a security compromise of a Utilimarc network or server used to provide the Cloud Services resulting in the unauthorized access, use, transfer or acquisition of Client Data. Utilimarc shall inform Client about incident response activities in reasonable intervals until the incident is resolved. Utilimarc will further maintain a process to capture and apply knowledge gained from such events to address the likelihood of reoccurrence.
4893-6631-9708, v. 1