Data Security and Protection Policy

Data Security and Protection Policy

The Chatti Data Security and Protection Policy (Policy) is designed to protect Chatti Data in all situations and wherever they are located. This Policy is intended to protect the confidentiality of all Chatti Data, including corporate, employee, vendor, partner and customer information. Supplier has specific obligations with regard to the protection of Chatti Data. Supplier shall process Chatti Data only in accordance with the Agreement, this Exhibit, written instructions by Chatti, and any model contracts executed by the Parties. 

(a)        Applicable Data Protection Laws mean certain local, state, federal laws, and international regulations, regulatory frameworks, or other legislations relating to the processing and use of Personal Data, as applicable to Chatti's use of the Service and the provision of the Service by Supplier, including:

(i)       The Australian Privacy Principles and the Privacy Act 1988 (Cth);

(ii)      the EU General Data Protection Regulation 2016/679 ("GDPR"), along with any implementing or corresponding equivalent national laws or regulations, once in effect and applicable; and

(iii)     the U.S. Department of Commerce and European Commission's EU--U.S. Privacy Shield Framework ("Privacy Shield"), or any succeeding legislation, available at https://www.privacyshield.gov/, or any succeeding URL, as may be amended. 

(b)        GDPR means the EU General Data Protection Regulation 2016/679. 

(c)        Personal Data means any data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, or located directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

(d)        Process, Processed or Processing means anything that is done to or with Chatti Data, including but not limited to collection, transmittal, viewing, creation, compilation, use, access, disclosure, storage, combination, alteration, erasure, or destruction.

(e)        Security Breach means a confirmed or reasonably suspected (i) a breach of Personal Data or (ii) the intentional or unintentional release of Chatti Data to an individual or organization not authorized to Process such information.

(f)         Sensitive Information means information which is part of Chatti Data, which due to its nature has been classified by law or regulation, as requiring additional privacy and security protection or where no such laws apply, means an individual’s financial information (including financial account information and/or payment card industry data), sexual preferences, medical or health information, and personal information of children protected under any child protection laws (such as the personal information defined under the US Children’s Online Privacy Protection Act).

(g)        Subprocessor means any third party (including an Affiliate of Supplier) that provides services to Supplier and that may have access to unecrypted Chatti Data.

(h)        Transfer means to disclose or make available Chatti Data to a third party, including a Supplier Affiliate or one of its Subprocessor, either by physical movement of the Chatti Data to such third party or be enabling access to the Chatti Data.

(i)         Chatti Data means, collectively, all Chatti Confidential Information, Personal Information, and/or Sensitive Information processed by Supplier in connection with any Agreement in place between Chatti and Supplier.

(a)         Compliance with Laws. Supplier represents that it shall comply with Applicable Data Protection Laws to the extent applicable to Supplier Processing or Transferring of Chatti Data. Supplier also agrees to comply with its own privacy and security policies. 

(b)        Internal Security Policy.  Supplier has, or agrees to implement, an internal security policy governing the protection of its own information technology and the resources of others under its control.  Such policy shall be subject to Chatti’s review upon written request by Chatti. A copy of Supplier’s security policy shall be made available upon request.

(c)        Protected Health Information. If the Chatti Data includes protected health information as defined in the HIPAA Privacy and Security Rules, the parties shall execute a Business Associate Agreement.

(d)        Breach. Failure to comply with the provisions of this Policy is considered a material breach under the Agreement.

(e)        Termination. When Supplier ceases to perform Services for Chatti, Supplier will return or destroy Chatti Data, unless prevented. Electronic media containing Chatti Data will be disposed of in a manner that renders it unrecoverable. If Supplier is required by Applicable Data Protection Laws or audit requirements to retain any Chatti Data, Supplier warrants that it shall:

(i)       ensure the continued confidentiality and security of the Chatti Data;

(ii)      delete or destroy the Chatti Data when the retention period expires; and (

(iii)     not actively Process the Chatti Data other than as needed to comply with its requirements. 

(a)        Security Reviews. Supplier shall submit and update annually, when requested by Chatti, a security questionnaire for Chatti to review the Supplier's compliance with this Policy. Supplier’s responses shall be accurate and complete at all times. 

(b)        Security Measures. Supplier shall ensure that all industry standard security measures current at the time of Processing are in place to protect Chatti Data, including physical, technical, and administrative safeguards and controls to protect Chatti Data against accidental, unauthorized, or unlawful Processing or Transfer, alteration, loss, disclosure or destruction. This includes any records made for quality assurance. Such protections shall include, but not be limited to, (a) protecting against virus, malware and other Supplier side intrusions, (b) encrypting Personal Data and Sensitive Information in transmission and in storage, (c) protecting against intrusions of operating systems or software, and (d) have industry standard Account and Access Management procedures in place that are designed and implemented with a mechanism that will prevent un-auditable and unauthorized access.

(c)        Authorized Use. Supplier shall only Process or Transfer Chatti Data as necessary to perform the Services and as authorized pursuant to an Order, SOW or a DPA. It will not sell, share, or otherwise transfer or disclose any Chatti Data received from Chatti to any other party without prior written consent from Chatti. 

(d)        Access to Information.  Supplier shall ensure that only persons with a need to know are allowed to access Chatti Data, and only to and for the limited extent and purpose for which such persons have a need to know. All parties who have access to Chatti Data must be bound by legally enforceable confidentiality obligations similar to those contained in the Confidential Information section of this Agreement  

(e)        Network Security. If the Processing involves the transmission of Chatti Data over a network, Supplier shall have implemented appropriate supplementary measures to protect the Chatti Data against the specific risks presented by the Processing. The transmission of Chatti Data must utilize FIPS 140-2 compliant secure transmission protocol and data encryption (both in transit and at rest).  Firewalls shall be configured according to industry best practices

(f)         Data Centre Physical Safeguards. Supplier and its Sub-processors shall comply with physical security controls outlined in industry standards, and that possess a valid annual external audit certification report, such as SOC 2 or ISO 27001 certifications. Supplier must maintain such certifications for the duration of this agreement. Only allow Personnel with business critical need to know to have access to controlled access areas. 

(g)        Access Points. Any externally facing web servers and third party access points will be configured securely to include, but not be limited to, employing only FIPS 140-2 compliant secure transmission and data encryption protocols.

(h)        Encryption. Supplier shall encrypt Chatti Data using FIPS 140-2 compliant encryption protocols    

(i)         Monitoring. Supplier shall regularly monitor the security of its network to:

(i)    identify patterns of suspicious network activity:

(ii)   transaction activity that might indicate unusual transaction types, volumes, timing, or amounts violations or attempts; and

(iii)  log-in violations or attempts.

(j)         Testing. Supplier shall regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures. Testing should include annual network penetration testing

(k)        Portable Devices. Chatti Data may not be stored on portable computer devices or media including, without limitation, laptop computers, removable disks, USB or flash drives, mobile phones, or CDs.      

(l)         Business Continuity/Disaster Recovery. Supplier shall have documented business continuity and disaster recovery plans to enable it to continue to provide the Services in a timely manner in the event of business interruption. Supplier will regularly test and monitor the effectiveness of such plans and, provide confirmation of such tests at Chatti’s written request.

(m)      Destruction of Information.  Unless otherwise required by law, upon termination or cancellation of the Agreement or a relevant Order or SOW, or at Chatti’s written request, all Chatti Data (including media used to transmit data and to create backups of Chatti Data) must be (a) destroyed in a manner that causes all Chatti Data to be irrecoverable and/or (b) returned to Chatti upon completion of the Services in a manner acceptable to Chatti and (c) certify in writing that all Chatti Data has been returned to or destroyed after its use, or as agreed.

(n)        ISO/IEC and PCI Compliance. Supplier and/or its Subprocessor who will be creating, handling, modifying, storing, processing, accessing, transferring or interacting with credit card data for Chatti customers in any form,  agrees that it is responsible for ensuring the protection and preventing the unauthorized disclosure or use of such data. Further, Supplier represents that it currently conforms, and warrants that it will continue to comply at all times during the Agreement, with the standards of the Payment Card Industry (“PCI”) for information security, and shall provide to Chatti promptly, upon request from time to time as considered necessary by Chatti, valid proof of certification by a recognized certifying organization. The current standards may be found at http://www.pcisecuritystandards.org. Without limiting Chatti’s other remedies, Supplier  agrees to be responsible for any and all fines or penalties incurred by Chatti on account of any PCI violation by Supplier or its Affiliates or Sub processors provided that such fines or penalties would not have been incurred but for Supplier violation and provided that Supplier’s liability shall be limited with respect to that portion of such fines or penalties as is equivalent to the proportion of Supplier’s violation relative to all other causes of such claims as determined by a root cause analysis of the causes. Where there is a conflict between the standards used by ISO/IEC and PCI, the most current PCI standard shall govern.      

(o)        Security Updates and Reviews. Supplier shall implement security changes, patches and upgrades in networks, systems, applications and software in a timely manner and commensurate with the threat to Chatti Data but no later than ninety days from release, or in accordance with Supplier’s Patch and/or Vulnerability Management policy. Security changes, patches and upgrades correcting significant or immediate security issues shall be implemented immediately, subject to appropriate testing, no later than ten days after release, or in accordance with Supplier’s Patch and/or Vulnerability Management policy. 

(p)        Service Organization Control Reports.  If Supplier will be creating, handling, modifying, storing, processing, accessing, transferring or interacting with Chatti Data, Supplier will execute, at its own expense, external, independent audits to produce a SOC-2 audit report or any successor report thereto. Supplier will continue to execute audits and issue corresponding reports for the duration of the Agreement on at least an annual basis. In addition, if requested by Chatti, Supplier shall deliver to Chatti a letter from a senior executive of Supplier that: (i) contains a written representation that Supplier’s internal controls as represented in the most recent SOC-2 audit report remains in all material respects unchanged through the date of the letter; or (ii) identifies all material changes in Supplier’s internal controls since the most recent SOC-2 audit report.  

(q)        Due Diligence over Personnel and Sub-processors. Supplier shall maintain appropriate due diligence when utilizing Supplier personnel or Sub-processors who may have access to Chatti Data.

(a)        Sub-processors. Supplier shall not Transfer Chatti Data without the prior written consent of Chatti. Supplier shall be liable for Transfers of Chatti Data to its Sub-processors. Supplier shall ensure that Sub-processors are contractually bound to comply with or provide at least the same level of confidentiality, security, and privacy protection as is required of Sub-processors by the Privacy Shield Principles and the Applicable Data Protection Laws and the terms of this Exhibit. Supplier shall provide Chatti a list of all Sub-processors within five business days of any request. 

(b)        International Transfers.  Supplier shall not Transfer Chatti Data across national borders or permit remote access to Chatti Data from any Sub-processor or other third party outside the country in which the Chatti Data originated unless Supplier has the prior written consent of Supplier for such Transfer. Supplier agrees that Chatti must authorize all cross-border transfers, including by use of approved Transfer mechanisms.

(a)        Notification.  If Supplier discovers or is notified of a Security Breach or which is related to any fraudulent or unauthorized use of Chatti Data, Supplier shall notify Chatti within 72 hours upon discovery of a Security Breach and fully cooperate with the investigation and remediation, up to and including prosecution of involved individuals. This notification must be made via email to Vendor.Security@Chatti.com. Supplier shall have incident management policies and procedures in place to handle a Security Breach

(b)        Remediation. Supplier shall be fully responsible for all damages, fines (whether criminal or civil) and costs arising from a Security Breach arising from either (i) the negligence or misconduct of Supplier or any Sub processor or (ii) the failure of Supplier to comply with the terms of the Agreement. Any failure of Supplier to abide by, train its personnel on or enforce any of the terms contained in this exhibit will be considered a material breach of the Agreement.