Information Security
This Exhibit applies to the storing, processing and generating of any of the following types of Goodyear Data (defined below) in connection with the performance of the Services by Supplier or its affiliates or third parties acting on their behalf, regardless whether it is generated by Goodyear or its affiliates or third parties acting on their behalf, by Supplier or its affiliates or third parties acting on their behalf, or by other third parties:
Personally Identifiable Information (“PII,” defined in the PII Protection Addendum),
Non-public Intellectual Property of Goodyear or its affiliates (defined in the Agreement), or
Other Confidential Information of Goodyear or its affiliates (defined in the Agreement).
If such Goodyear Data includes PII, the attached PII Protection Addendum to the Information Exhibit also applies. If such PII is subject to the General Data Protection Regulation of the EU (“GDPR”), the attached EU Data Transfer Addendum also applies in addition to this Exhibit and the PII Protection Addendum (see the EU Data Transfer Addendum for more information on its applicability).
1. Definitions.
“Goodyear Data” means all information and data that is (i) stored, processed or generated in or through the systems of Supplier or its affiliates or third parties acting on their behalf, by or for the benefit of Goodyear and/or its affiliates, or their respective end users or customers; (ii) generated or used by or on behalf of Supplier in connection with the Services under the Agreement; or (iii) derived from any of the foregoing.
“Security Breach” means any loss, theft, or unauthorized access to, or unauthorized use, processing, disclosure, alteration or destruction of, any Goodyear Data in the possession or control of Supplier or of any third party performing Services on behalf of Supplier under this Agreement.
“Supplier IP Addresses” means all public-facing IP addresses that are used to host the Goodyear Data.
2. Safeguards and Controls.
(a) General Standards. Supplier shall maintain and continuously improve effective safeguards and controls, which shall meet or exceed the standard of the industry, to protect Goodyear Data against Security Breaches and to ensure the availability and integrity of Goodyear Data; including, without limitation of the foregoing, safeguards and controls with respect to password configuration, management and obscurity; data management; data retention; backup and disaster recovery; incident management and security escalation processes; physical and environmental security, including security of physical spaces and equipment; and participating in operational service reviews with Goodyear on a schedule to be agreed between Goodyear and Supplier.
(b) Specific Requirements. Without limiting any requirements in this Exhibit (including the PII Protection Addendum, if applicable) or elsewhere in this Agreement or any SOW under this Agreement, Supplier shall, in the course of providing the Services, maintain each of the following safeguards or controls in a manner that meets or exceeds the standard of the industry. Supplier shall:
(i) store the Goodyear Data for no other purpose than to facilitate the provision of Services under this Agreement, and for only so long as is necessary to perform Supplier’s obligations under this Agreement;
(ii) restrict both logical and physical access to the Goodyear Data to those with a need to know such information in order to perform the Services;
(iii) back up all media containing Goodyear Data on a schedule to be agreed between Goodyear and Supplier, and protect such data back ups from illegal access and tampering;
(iv) no less frequently than annually, (A) perform penetration and social engineering tests upon the parts of Supplier’s environment hosting Goodyear Data or otherwise used in providing the Services to Goodyear, (B) provide the results to Goodyear in writing, (C) remediate any nonconformities identified in such tests, and (D) certify in writing that it has remediated any such nonconformities;
(v) no less frequently than monthly, (A) perform vulnerability scans upon the parts of Supplier’s environment hosting Goodyear Data or otherwise used in providing the Services to Goodyear, based on known vulnerabilities of the software used in such parts of Supplier’s environment, (B) install and run new software patches and other error corrections no later than ninety (90) days after they are made available, (C) provide the results of such tests and a summary of such patch management efforts to Goodyear in writing, (D) remediate any nonconformities identified in such tests, and (E) certify in writing that it has remediated any such nonconformities;
(vi) ensure that end point security tools (including anti-virus tools and intrusion detection and prevention tools) are installed, running, updated and maintained on all parts of Supplier’s environment that are used in providing the Services to Goodyear and that are supported by such tools; and ensure other controls are in place to detect, prevent, and analyze denial of service attacks, virus infections, site compromises, defacement, data loss, hacking and other Security Breaches, and deliver to Goodyear evidence of controls working annually;
(vii) encrypt Goodyear Data (including backed up Goodyear Data) at all access points, both where it is stored and in transit; and
(viii) if destruction is required or requested by Goodyear, destroy the Goodyear Data by employing secure methods that render the data unreadable and unrecoverable, and certify such destruction in writing.
(c) Description of Supplier’s Security Environment. Without limiting any requirements in this Exhibit (including the PII Protection Addendum, if applicable) or elsewhere in this Agreement or any SOW under this Agreement, Supplier shall, to the extent they affect the provision of the Services, maintain the safeguards and controls set forth in the description of Supplier’s security environment attached as Schedule 1 to this Exhibit [Schedule 1 to be provided by Supplier].
(d) Vulnerability Scan. Supplier shall provide Goodyear with a written list all Supplier IP Addresses. Supplier shall promptly notify Goodyear in writing of any modifications to this list. Goodyear shall have the right to scan all Supplier IP Addresses for vulnerabilities at any time upon reasonable notice to Supplier.
(e) Security Event Logs. Supplier shall (i) maintain 12 months of security event logs (to the extent permitted under applicable local privacy law) in a secure log management infrastructure to ensure the integrity of the logs; (ii) establish policies and procedures for log analysis to ensure adequate security incident response analysis and corrective action plans are implemented for security events, including, but not limited to, unauthorized access and data disclosures, policy violations, fraudulent activity, and operational problems; (iii) document log reviews and make such documentation available to Goodyear when requested for auditing purposes; and (iv) provide log data to Goodyear as requested for specific security investigations or when needed for auditing purposes.
3. Security Breach. No later than twelve (12) hours after Supplier becomes aware of facts or circumstances reasonably indicating that a Security Breach has occurred or is likely to have occurred, Supplier shall, at its expense, (i) commence all reasonable efforts to investigate the Security Breach, mitigate and correct its causes, and remediate its results; and (ii) provide to Goodyear written notice thereof and the information available to it regarding the actual or likely Security Breach. Thereafter, Supplier, at its expense, shall, and shall cause its affiliates and any third parties acting on Supplier’s behalf that are in possession or control of any affected Goodyear Data to, diligently continue reasonable efforts to investigate the Security Breach, mitigate and correct its causes, and remediate its results, and cooperate with any similar efforts Goodyear or its affiliates may undertake, including providing (or providing access to) all information relevant to such Security Breach or necessary to verify that adequate measures have been taken to prevent similar Security Breaches. In the event that any PII was affected by the actual or likely Security Breach, Section 4 of the PII Protection Addendum also applies. Without limiting the remedies set forth in that Section, Supplier shall reimburse Goodyear for any costs or expenses that arise from any Security Breach, to the extent caused by Supplier, its affiliates, or third parties acting on their behalf, and cooperate with Goodyear at Supplier’s expense regarding the timing and manner of any notifications to governmental authorities and to the parties whose information has been the subject of the Security Breach. Goodyear may disclose the occurrence of a Security Breach in connection with such notifications.
4. Third Parties. Supplier will not allow any contractor or other third party to have access to any Goodyear Data or perform any Services with respect to the Goodyear Data under this Agreement or any SOW without the prior written approval of Goodyear. If a third party is to have such access or perform such Services, Supplier shall require such third party to enter into a written agreement requiring the safeguarding of Goodyear Data in a manner no less protective than that required by this Agreement, including this Exhibit (including the PII Protection Addendum, if applicable) and any applicable SOW, during the term of this Agreement and for so long as it has such access or performs such Services, and shall cause such third party to comply with the terms of such agreement. Supplier will be liable for any act or omission of such third party that would constitute a breach of any provision of this Agreement, including this Exhibit (including the PII Protection Addendum, if applicable) and any applicable SOW.
5. Subpoenas. If Supplier receives a subpoena, civil and/or criminal investigative demand, discovery request or other judicial, administrative or governmental request that seeks any Goodyear Data (collectively, “Request”), Supplier shall, to the extent permitted by applicable law, immediately (and no later than 24 hours after the Request was received) notify Goodyear of the Request in writing, provide a copy of the Request to Goodyear, and permit Goodyear to intervene to contest or otherwise seek to limit the scope or protect the confidentiality of such disclosure. Supplier shall comply with Goodyear’s reasonable requests regarding such efforts, and promptly provide Goodyear with the information or tools required for Goodyear to respond to or seek to limit the Request.
6. Termination. Upon any termination or expiration of the Agreement, or upon Goodyear’s request for any reason, Supplier shall, at Goodyear’s option, promptly return or destroy all Goodyear Data. If Goodyear Data is destroyed, Supplier shall certify the destruction of all Goodyear Data, and all copies and back-ups thereof. If Goodyear Data is returned, Supplier shall provide to Goodyear all Goodyear Data, in a form that is acceptable to Goodyear, within three (3) business days (or longer if requested by Goodyear) of any request by Goodyear.
7. Ownership, Location and Deletion of Goodyear Data.
(a) Ownership. As between Supplier and Goodyear, Goodyear owns all Goodyear Data, and Supplier will have no rights in or to any Goodyear Data except as expressly provided in this Agreement or an SOW under this Agreement. Goodyear has the right to direct Supplier in connection with the collection, use, disclosure and retention of all Goodyear Data.
(b) Location. The equipment and data centers utilized to provide Services under this Agreement are located in the following countries: United States. Any storage or transfer of Goodyear Data outside of the foregoing list for any reason must be pre-approved in writing by Goodyear.
(c) Deletion. Supplier will not delete any Goodyear Data other than as provided in an SOW without the prior written approval of Goodyear. Supplier will not delete any information that is the subject of a legal hold instruction that has been provided to Supplier.
8. Compliance.
(a) SOC Reports. At no additional cost or expense to Goodyear, at least once each calendar year during the term of the Agreement, Supplier shall obtain a review of its systems and operations and a Service Organization Controls (SOC) Report by an independent auditor in accordance with the Statement of Standards for Attestation Engagements Number 18 - SOC 1 (Type II) and in accordance with the American Institute of Certified Public Accountants (AICPA) AT101 and based upon the Trust Services Principles - SOC 2 (Type II) (including, at a minimum, security, availability and privacy) and the American Institute of Certified Public Accountant’s Audit Guide, “Audit of Service-Center Produced Records” and/or any successor standards (collectively, “SOC Reports”). Supplier shall deliver to Goodyear SOC Reports at least once per calendar year. Supplier shall promptly resolve any internal control weaknesses or other issues noted in the SOC Reports at no additional expense to Goodyear. In addition, at no additional cost or expense to Goodyear, at least once each calendar year during the term of the Agreement, Supplier shall provide to Goodyear evidence of ISO 27001 compliance. Supplier will also make available to Goodyear at no additional cost any SOC Reports or reports of ISO 27001 compliance that it obtains from its hosting providers or other service providers and is permitted to pass through to its customers concerning the systems that such providers use to provide any of the Services to Goodyear or its affiliates.
(b) Goodyear Audits and Information Requests. Notwithstanding Section 8(a) above: (i) At Goodyear’s discretion, Goodyear reserves the right to conduct independent audits of all portions of Supplier’s environment used to provide Services for Goodyear, using Goodyear associates or designated external audit organizations as appointed by Goodyear. Supplier shall provide all necessary support required for any such Goodyear audit, and shall promptly resolve any internal control weaknesses or other issues noted in such audit, at no additional cost to Goodyear. (ii) Supplier shall, upon Goodyear’s written request from time to time, provide to Goodyear (A) responses to security questionnaires and other general information regarding any of Supplier’s privacy and information security systems, policies and procedures, provided that Supplier is not obligated to provide any information concerning its other customers; and (B) written evidence that Supplier is in compliance with the requirements set forth in this Exhibit (including the PII Protection Addendum, if applicable), and Supplier will provide such evidence promptly after such request at no additional cost to Goodyear. If any such evidence indicates non-compliance, Supplier will promptly resolve any such issue at Supplier’s expense.
(c) Changes to Comply with Applicable Law. If Goodyear determines that any changes to this Exhibit (including the PII Protection Addendum, if applicable) are necessary for Goodyear to comply with any applicable law, the parties shall negotiate in good faith an amendment to this Exhibit so that Goodyear can remain in compliance with applicable law. If the changes impose any costs of performance in addition to those imposed by compliance with this Exhibit prior to such modification, the parties shall negotiate in good faith an equitable adjustment to the compensation due Supplier under the Agreement.
(d) Changes Proposed by Supplier. Any proposed change to Supplier’s information security practices that would cause it to become materially non-compliant with the terms of this Exhibit (including the PII Protection Addendum, if applicable) must be pre-approved by Goodyear in a written amendment to this Exhibit. Should Goodyear not approve such change, and should Supplier determine to proceed with such change, or should Supplier otherwise be materially non-compliant with the terms of this Exhibit or with applicable law, Goodyear may treat the change or other non-compliance as a material breach of this Agreement and terminate this Agreement in accordance with the provisions of this Agreement that apply to termination for material breach.
(e) Indemnity. Supplier shall indemnify, defend and hold harmless Goodyear and its affiliates, and their respective directors, officers, shareholders, agents and employees, from and against any losses, damages, claims, liabilities, costs and expenses (including, without limitation, attorneys' fees and settlement amounts) arising from or relating to any claim of any third party arising from any breach by Supplier of the obligations set out in this Exhibit, including the PII Protection Addendum.
9. Order of Precedence. To the extent the various writings that comprise this Agreement conflict, the order of precedence shall be as follows: the EU Data Transfer Addendum (if applicable) has the highest precedence; followed by the PII Protection Addendum (if applicable); followed by the body of the Information Security Exhibit (if applicable); followed by Statements of Work and the body of the [Agreement] (with the precedence between SOWs and the body of the Agreement being as set forth in the body of the Agreement). For the avoidance of doubt: (i) Where a provision of a document of higher precedence expressly indicates that an aspect of the Services may be varied in a document of lower precedence, such variances will be given effect (for example, Section 7(a) of this Exhibit allows for rights in Goodyear Data to be allocated differently in a SOW); and (ii) Where a provision of a document of higher precedence expressly indicates that it is not intended to limit a provision in a document of lower precedence, the former will not be read to limit such provisions in the latter (for example, Section 2(b) of this Exhibit does not limit any additional safeguards and controls that the parties may agree to in a SOW).
PII Protection Addendum to the Information Security Exhibit
This PII Protection Addendum to the Information Security Exhibit applies to the storing, processing or generating of any Personally Identifiable Information (defined below) in connection with the performance of the Services by Supplier or its affiliates or third parties acting on their behalf, regardless whether it is generated by Goodyear or its affiliates or third parties acting on their behalf, by Supplier or its affiliates or third parties acting on their behalf, or by other third parties. If such PII is subject to the General Data Protection Regulation of the EU (“GDPR”), the attached EU Data Transfer Addendum also applies in addition to this PII Protection Addendum (see the EU Data Transfer Addendum for more information on its applicability). This Addendum is part of the Information Security Exhibit.
1. Definition of PII.
As used throughout this Agreement, “Personally Identifiable Information” (or “PII”) means any information that alone or in combination with other information identifies, relates to, describes, or is capable of being associated with, a specific, identifiable individual person or household, including, without limiting the generality of the foregoing, any personal information that is protected by applicable laws related to privacy, protection of medical, financial or consumer data, or data breach notification, including but not limited to:
(a) all information that constitutes “personal information” under the California Consumer Privacy Act (the “CCPA”), namely information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household;
(b) all information that constitutes “personal data” under the GDPR, namely any information relating to an identified or identifiable natural person; an “identifiable natural person” being a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and
(c) all information that constitutes “individually identifiable health information” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) if it is created or received by a health care provider, health plan, employer, or health care clearinghouse, namely information that both (i) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (ii) identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual, including demographic information collected from an individual.
“Personally Identifiable Information” includes individuals’ names, home and mobile telephone numbers, home addresses, and email addresses; personal identification numbers such as Social Security or Social Insurance Numbers, driver’s license numbers, state identification card numbers, and passport numbers; and unique identifiers that can be linked to a specific individual, such as vehicle registration numbers, device IDs, and employee numbers; information regarding financial accounts such as account numbers, credit card numbers, debit card numbers, and the security codes, user identifiers, access codes, PINs and passwords and other information used to access such accounts, including date and place of birth, mother's maiden name; medical information and insurance information; professional or employment or education-related information; characteristics of protected classifications under applicable law; geolocation data; biometric data, signature, and audio, electronic, visual, thermal, and olfactory information; commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; information concerning on-line activities, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement; and inferences drawn from any other PII to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Specific information such as age constitutes “Personally Identifiable Information” when it can be combined with other information to identify one or more specific, identifiable individuals. Personally Identifiable Information also includes the fact that an individual has a relationship with Goodyear, and the nature of that relationship – for example, customer, employee or contractor.
2. Compliance with Applicable Laws.
If Supplier does or will receive or transmit Personally Identifiable Information originating in, or is in the course of providing the Services otherwise subject to the laws of, any country or jurisdiction outside the US, including without limitation the European Economic Area or Switzerland, Supplier will, during the term of the Agreement and for so long as it is in possession of such Goodyear Data, maintain compliance with any applicable data privacy laws (for example, the European Union and/or EU member state data privacy laws and/or Swiss data privacy laws, as the case may be), including without limitation laws with respect to the onward or cross border transfer of Personally Identifiable Information from such jurisdiction. Without limiting the generality of the foregoing, if provision of the Services is subject to the data protection laws of the European Union, Supplier, and any third party providing on Supplier’s behalf Services that are subject to such laws, will be required to enter into the attached EU Data Transfer Addendum.
3. Requests from Data Subjects.
(a) Opt-Out Requests. If the Services provided by or on behalf of the Supplier include distributing communications on behalf of or at the request of Goodyear, and if Supplier receives instructions regarding communication preferences, including but not limited to opt-out and opt-in requests, then, unless an SOW provides otherwise: (i) Supplier shall immediately (and no later than 24 hours after the request was made or event occurred) notify Goodyear of such expression of preference; and (ii) Goodyear and Supplier shall cooperate in acting upon any such preferences in a timely manner and in ensuring compliance with any requirements under applicable law with respect to such preferences.
(b) Requests Regarding PII. If Supplier receives any request from any person who is the subject of any Personally Identifiable Information either seeking information about, or seeking modification or deletion of, Personally Identifiable Information about themselves, then, unless an SOW provides otherwise: (i) Supplier shall immediately (and no later than 24 hours after the request was made or event occurred) notify Goodyear of such request; and (ii) Goodyear and Supplier shall cooperate in acting upon any such requests in a timely manner and in ensuring compliance with any requirements under applicable law with respect to such requests.
4. Security Breaches Involving PII.
In the event of a Security Breach involving Personally Identifiable Information among the Goodyear Data in the possession or control of Supplier or of any third party performing Services on behalf of Supplier under this Agreement, then in addition to fulfilling the obligations set forth in Section 3 of the Information Security Exhibit, Supplier, at its own expense, shall, and shall cause any such third party to, cooperate with Goodyear to respond to the Security Breach and rectify any issues that result. Without limiting the foregoing, to the extent any such Security Breach is caused by Supplier, its affiliates, or third parties acting on their behalf, Supplier shall reimburse Goodyear for Notification Costs and Claim Costs arising from such Security Breach. “Notification Costs” means all verifiable costs and expenses (including, without limitation, attorneys’ fees) incurred by Goodyear and its affiliates in investigating whether notification of individuals is required and the preparation and delivery of notices to affected individuals and the provision of appropriate credit monitoring services. “Claim Costs” means costs and expenses (including, without limitation, attorneys’ fees and settlement amounts) incurred by Goodyear and its affiliates in respect of individuals who allege that they have suffered injury or damage by reason of such Security Breach. The obligations set forth in this Section will survive termination of this Agreement.