Security and Compliance

Definitions

“Customer” refers to the entity that has ordered services from Apps Associates under this Agreement and defined in each Statement of Work hereunder.

“Services” shall mean each software engineering and consulting service to be performed by Apps Associates for Customer as described in a Statement of Work and governed by the terms of this Agreement.

“Parties” means Apps Associates and Customer collectively and “Party” means each of Apps Associates and Customer individually.

“Personal Data” means any information or data that relates to an identified or identifiable natural person or data considered to be personal data as defined under Privacy Laws.

“Confidential Information,” means all technical, financial, operational, marketing and sales information of either Party disclosed to the other, that is either designated as “Confidential” or the receiving Party should reasonably understand to be confidential given the nature of the information and the circumstances of its disclosure. A Party’s Confidential Information shall not include information that : (a) is or becomes a part of the public domain through no act of omission of the receiving Party: (b) was in the receiving Party’s lawful possession prior to the disclosure by the disclosing Party and had not been obtained by the receiving Party either directly or indirectly from the disclosing Party; (c) is lawfully disclosed to the receiving Party by a third party without restriction on the disclosure; or (d) is independently developed by the receiving Party without use of or reference to the disclosing Party’s Confidential Information.

“Data Privacy Laws” means any applicable law, statute, directive or regulation regarding privacy, data protection, and/or the processing of Personal Data to which Apps Associates and/or the Customer are subject, and which is applicable to the parties’ data protection obligations under this Agreement.

“Security Incident” means any circumstance that involves, or which a party reasonably believes may involve, the accidental or unauthorized access, use, disclosure, modification, storage, destruction or loss of Customer Confidential Information in Apps Associates’ or Apps Associates Personnel’s possession, custody, or control.

Apps Associates shall maintain a written security program, that includes appropriate administrative, technical, organizational, and physical safeguards, security awareness and security measures designed to protect Confidential Information from unauthorized access and use.

Apps Associates agrees to install and implement security hardware, software, procedures, and policies that will provide effective information security. Apps Associates agrees to use commercially reasonable efforts to monitor and update such hardware, software, procedures, and policies to utilize improved technology and to respond to developing security threats to maintain a level of security protection, preparedness and resilience appropriate for the information involved and the then current state of security solutions. Upon request, Apps Associates shall provide Customer with the latest SSAE18 audit reports issued to Apps Associates during the term of this Agreement.

Apps Associates further agrees to:

Maintain and implement information security program.
Apps Associates shall only collect, access, use, or share Confidential Information with authorized third parties, in performance of its obligations under the Agreement, or to comply with applicable legal obligations. Apps Associates will not make any secondary or other use (e.g., for the purpose of data mining) of Confidential Information except (a) as expressly authorized in writing by Customer in connection with Customer’s purchase of Services hereunder, or (b) as required by law.

Apps Associates shall:

• Upon written notice, and no more than once per annum on a mutually agreed-upon date, at Customer’s expense, Customer, or its designee, may conduct an assessment of Apps Associates’  data security controls, policies, and procedures located on the OneTrust GRC self-service website. Annual SOC reports, bridge letters, enterprise policies, and other important artifacts can be accessed and downloaded by the Customer for evidentiary purposes.
• Apps Associates shall use commercially reasonable efforts, as measured by the available technology at the time, to prevent anyone other than its authorized employees and Customer and its agents from accessing the Confidential Information.
• Apps Associates will use and will cause Apps Associates’ personnel to use appropriate forms of encryption or other secure technologies in connection with the processing of Confidential Information, including in connection with any transfer, communication, remote access, or storage (including back-up storage) of Confidential Information, as authorized or permitted under the Agreement.
• Apps Associates shall provide information to, and fully cooperate with, Customer in response to any subpoena, investigation or the like seeking Confidential Information and provide information and assistance for Customer to seek certification and the like relative to its Confidential Information including information in the possession of Apps Associates. Apps Associates shall promptly notify Customer upon the receipt of any request from a third party requiring that Confidential Information be supplied to a third party.
• Apps Associates shall not provide Confidential Information to any other entity without the prior written approval of Customer, or as otherwise authorized under this agreement except in circumstances where law enforcement and legal proceedings may prohibit it.

The following provisions apply whenever Apps Associates will have access to Confidential Information.

Apps Associates shall:

• Comply with all applicable Data Privacy Laws
• Only collect, access, use, or share Confidential Information with authorized third parties, in performance of its obligations under the Agreement and/or Order, in conformance with Customer’s instructions, or to comply with legal obligations. Apps Associates will not make any secondary or other use (e.g., for the purpose of data mining) of Confidential Information except as expressly authorized in writing by Customer in connection with Customer’s use of the Services, or (ii) as required by law.
• Not share, transfer, disclose or provide access to Confidential Information with any third party except to provide services under the Agreement – or as required by law. If Apps Associates does share, transfer, disclose or provide access to any authorized Confidential Information to a third party, it shall:
  1. be responsible for the acts and omissions of any subcontractor or other third party, that processes (within the meaning of the applicable data privacy laws) Confidential Information on Apps Associates’ behalf in the same manner and to the same extent as it is responsible for its own acts and omissions with respect to such Confidential Information; and
  2. ensure such third party is bound by a written agreement that contains the same or equivalent obligations and protections as those set forth in this Section;
• Provide such information, assistance and cooperation as Customer may reasonably require from time to time to establish Apps Associates’ compliance with applicable data privacy laws.

For all inquiries related to data privacy, please contact us:

Data Protection Officer
Apps Associates LLC (HQ)
289 Great Road Suite 308
Acton, MA 01720
[email protected]

Apps Associates shall take all reasonable measures to contain and remedy the Security Breach, wherever possible; provide Customer with information regarding the investigation and remediation of the Security Breach, unless restricted by law; not make any notification, announcement or publish or otherwise authorize any broadcast of any notice or information about a Security Incident (a “Security Incident Notice”) without the prior written consent of and prior written approval by Customer of the content, media and timing of the Security Incident Notice (if any), unless required to do so by law or court order; and even where required to do so by law or court order, make all reasonable efforts to coordinate with Customer prior to providing any Security Breach Notice.