Nasdaq has updated its Data Processing Addendum (DPA).  The DPA posted to this page was in effect for agreements executed between January 1, 2020, and September 30, 2021.   For all new agreements including a hyperlink to this page, the current and effective DPA is posted at https://www.nasdaq.com/data-processing-addendum.  If you have an agreement with Nasdaq that is subject to this DPA, and you wish to amend it to include the new DPA (which incorporates the latest version of the EU Standard Contractual Clauses and the UK International Data Transfer Addendum), please contact your Nasdaq account manager.

Below is the text from the posted version of the Nasdaq DPA dated January 1, 2020:

This Data Processing Addendum (this "DPA") forms part of the definitive written agreement between Nasdaq and Customer, which hyperlinks to this DPA (as amended from time to time, the "Agreement"). This DPA is effective as of the date the hyperlink to this DPA is incorporated into the Agreement (“Effective Date”). For the purposes of this DPA, “Nasdaq” means the Nasdaq contracting entity identified in the Agreement, and “Customer” means the Customer contracting entity identified in the Agreement. Nasdaq and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."

Customer enters into this DPA on behalf of itself and its Affiliates to the extent Nasdaq Processes Customer Personal Data in performance of the Services for such Affiliates. For the purposes of this DPA only, and except where indicated otherwise in this DPA, the term "Customer" will include Customer and its Affiliates.

HOW THIS DPA APPLIES

This DPA is binding on the Parties only to the extent applicable Data Protection Laws govern the Processing of Customer Personal Data in performance of the Services. This DPA is fully incorporated into and made a part of the Agreement. This DPA replaces any existing terms, addendums, or other attachments related to the Processing of Customer Personal Data unless otherwise expressly stated in this DPA. In the event of any inconsistency between the terms of this DPA and any terms of the Agreement with respect to Customer Personal Data, the terms of this DPA will govern and control.

DATA PROCESSING TERMS

The Parties agree that the terms of this DPA govern the Processing of Customer Personal Data in performance of the Services. Each Party, acting reasonably and in good faith, will comply with the terms of this DPA.  Any other Processing of Personal Data with respect to Customer and Customer’s users conducted by Nasdaq as a Data Controller, including business relationship administration and system security, will be carried out in accordance with Nasdaq’s then-current privacy policy located at the following hyperlink: https://www.nasdaq.com/privacy-statement (or any successor hyperlink).

1. Definitions and Interpretation

Capitalized terms used herein shall have the meanings set forth in this Section 1 and elsewhere in this DPA. All other capitalized terms not defined herein will have the meanings set forth in the Agreement. For purposes of this DPA: (i) the words "include," "includes," and "including" are deemed to be followed by the words "without limitation"; (ii) the word "or" is not exclusive; (iii) words denoting the singular have a comparable meaning when used in the plural, and vice-versa; and (iv) words denoting any gender include all genders.

1.1 “Affiliate” of a Party means any other entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such Party. The term "control" (including the terms "controlled by" and "under common control with") means the direct or indirect power to direct or cause the direction of the management and policies of a Party, whether through the ownership of voting securities, by contract, or otherwise.

1.2 “Customer Personal Data” means Personal Data Processed by Nasdaq (or any Sub-Processor) on behalf of and at the direction of Customer under the Agreement.

1.3 “Data Controller” (or equivalent term under applicable Data Protection Laws) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.4 “Data Processor” (or equivalent term under applicable Data Protection Laws, including “service provider”) means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

1.5 “Data Protection Laws” means any applicable laws or regulations governing the Processing of Customer Personal Data in performance of the Services, including, to the extent applicable, the European General Data Protection Regulation (the “GDPR”).

1.6 “Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.7 “Personal Data” means any information relating to a Data Subject that is subject to protection under applicable Data Protection Laws.

1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.9 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, retention, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.10 “Services” means the services provided by Nasdaq to Customer or Customer’s Affiliates (as the case may be) under the Agreement.

1.11 “Special Data Categories” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; or such other similar types of information designated for heightened protection under applicable Data Protection Laws.

1.12 “Sub-Processor” means a Data Processor engaged by Nasdaq for the purpose of Processing Customer Personal Data in performance of the Services.

1.13 “Supervisory Authority” means the relevant governmental body or bodies having jurisdiction over the Processing of Customer Personal Data under this DPA.

2. Processing of Customer Personal Data

2.1 Roles of the Parties. To the extent Nasdaq Processes Customer Personal Data in performance of the Services, the Parties agree that Customer is the Data Controller and Nasdaq is the Data Processor.

2.2 Nasdaq as Data Processor.  Nasdaq, as Data Processor, will Process Customer Personal Data only on the documented instructions of Customer as provided in Section 2.4 and Section 2.5 of this DPA. Nasdaq will not Process Customer Personal Data for any other purpose, except to the extent Processing of Customer Personal Data is required by applicable laws.

2.3 Customer as Data Controller. Customer, as Data Controller, agrees that Customer:

2.3.1 is solely responsible for the accuracy, quality, and legality of Customer Personal Data, including the means by which Customer acquires Customer Personal Data;

2.3.2 is solely responsible for any registration, notice, or other authorization with any regulator required under applicable laws to engage Nasdaq to perform the Services;

2.3.3 has the authority to transmit or disclose Customer Personal Data to Nasdaq (or permit Nasdaq to access Customer Personal Data); and

2.3.4 will provide Nasdaq with lawful instructions with respect to the Processing of Customer Personal Data.

2.4 Customer’s Instructions. Customer instructs Nasdaq (and authorizes Nasdaq to instruct each Sub-Processor) to Process Customer Personal Data, including any cross-border transfers of Customer Personal Data in performance of the Services. The Parties agree that the scope of Customer’s instructions for the Processing of Customer Personal Data is defined by: (i) the Agreement; (ii) any applicable ordering documents, including service orders, order forms, statements of work, and product or service descriptions; (iii) this DPA; and (iv) any Modified Instructions (as defined below).

2.5 Modified Instructions. Customer may request amendments to Customer’s instructions, where such amendments are required to ensure that Customer complies with applicable Data Protection Laws and Customer cannot achieve Customer’s compliance with applicable Data Protection Laws unless Nasdaq implements such instructions (“Modified Instructions”), by submitting a written request to Nasdaq in accordance with the change control or amendment procedures set forth in the Agreement. Customer and Nasdaq may mutually agree in writing to amend the Agreement to effect such Modified Instructions. If Nasdaq notifies Customer that it is infeasible or impracticable to implement any Modified Instructions, Customer may terminate the applicable Service by providing Nasdaq with written notice within thirty (30) days of Nasdaq’s notification and receive a prorated refund of prepaid fees applicable to the terminated Service for the period after termination. This Section 2.5 states Customer’s sole and exclusive remedy, and Nasdaq’s sole liability, with regard to Modified Instructions.

2.6 Details of the Processing of Customer Personal Data. The duration of the Processing of Customer Personal Data will be the same as the duration of the Agreement, except as otherwise agreed in writing by the Parties. The subject matter of the Processing of Customer Personal Data is set forth in the Agreement and this DPA. The nature and purpose of the Processing of Customer Personal Data involve the provision of the Services to Customer as set forth in the Agreement and this DPA. The types of Customer Personal Data Processed under this DPA and the relevant categories of Data Subjects are set forth in Appendix 1 to this DPA.

2.7 Processing of Special Data Categories. Any Processing of Special Data Categories is subject to mutual agreement of the Parties and must be set forth in a schedule to this DPA or a separate written agreement.

3. Confidentiality Obligations of Nasdaq Personnel

3.1 Confidentiality Obligations of Nasdaq Personnel. Nasdaq will ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Information Security Program

4.1 Information Security Program. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nasdaq will in relation to Customer Personal Data implement a written information security program that includes technical and organizational measures designed to protect such Customer Personal Data against unauthorized access, use, disclosure, alteration, or destruction, including the measures set forth in Article 32(1) of the GDPR to the extent such measures are applicable to Nasdaq’s Processing of Customer Personal Data in performance of the Services. As of the Effective Date of this DPA, a summary of such technical and organizational measures is set forth in Appendix 2 to this DPA.

5. Subprocessing

5.1 Appointment of Sub-Processors; Liability. Customer authorizes Nasdaq to appoint Sub-Processors, including Nasdaq's Affiliates, for the purpose of providing the Services. Nasdaq will enter into a written agreement with each Sub-Processor containing data protection obligations not less protective than those set forth in this DPA with respect to the Processing of Customer Personal Data. Nasdaq will remain responsible for any Sub-Processor's actions with respect to the Processing of Customer Personal Data.

5.2 Notice and Customer’s Right to Object to New Sub-Processors. Nasdaq will notify Customer of its intention to engage any new Sub-Processor in accordance with the notice procedures set forth in the Agreement or as otherwise provided in this DPA. Customer will have ten (10) days from the date of such notification to reasonably object to the engagement of any new Sub-Processor by providing written notice to Nasdaq. If Customer objects to the engagement of a new Sub-Processor and the Parties cannot reach an agreement as to the use of the new Sub-Processor, Customer may terminate the portion of the Service for which the new Sub-Processor is engaged and receive a prorated refund of prepaid fees applicable to the terminated portion of the Service for the period after termination as its sole and exclusive remedies. If Customer has not notified Nasdaq of its objection within the time period set forth in this Section 5.2, Customer will be deemed to have approved the use of the new Sub-Processor.

5.3 Automated Notification Mechanism. For purposes of providing notice in accordance with Section 5.2 of this DPA, Nasdaq may implement mechanisms by which Customer can receive automated notifications of new Sub-Processor engagements (each, an "Automated Notification Mechanism") at no additional cost to Customer. If Nasdaq implements an Automated Notification Mechanism, Nasdaq will notify Customer and provide detailed instructions on the use of such Automated Notification Mechanism. Customer agrees to register for and use any Automated Notification Mechanism if it is made available by Nasdaq.

5.4 Cross-Border Transfers of Customer Personal Data to Sub-Processors. To the extent any transfers of Customer Personal Data by Nasdaq to a Sub-Processor are subject to onward cross-border transfer restrictions under applicable Data Protection Laws, Nasdaq will have in place appropriate data transfer solutions with such Sub-Processors to provide adequate protection for such Customer Personal Data as required by applicable Data Protection Laws.

6. Assistance to Customer Related to Data Subject Requests

6.1 Data Subject Request Notification. Nasdaq will promptly notify Customer if Nasdaq receives a request from a Data Subject to exercise his or her rights under applicable Data Protection Laws with respect to Customer Personal Data.

6.2 Customer’s Responsibility with respect to Data Subject Requests. Customer will be solely responsible for responding to requests, complaints, and all other communications from Data Subjects; provided, however, Nasdaq may confirm to the Data Subject that Nasdaq received his or her communication. To the extent that Customer can respond to such requests by using its access to Customer Personal Data or any “self-service” functionality of the Services, Customer will do so.

6.3 Assistance in Responding to Data Subject Requests. Upon Customer's written instruction and to the extent required by applicable Data Protection Laws, Nasdaq will provide Customer with assistance to fulfill Customer’s obligations to respond to requests from Data Subjects to exercise his or her rights under applicable Data Protection Laws by implementing appropriate and technical organizational measures, insofar as it is possible, taking into account the nature of the Processing.

7. Assistance with Customer’s Other Data Protection Rights and Obligations

7.1 Assistance Related to Customer’s Other Data Protection Rights and Obligations. Taking into account the nature of the Processing and the information available to Nasdaq, Nasdaq will provide assistance required to be provided by Data Processors to Data Controllers under applicable Data Protection Laws, including the assistance required under Article 28(3) of the GDPR to the extent such assistance is applicable to Nasdaq’s Processing of Customer Personal Data in performance of the Services.

7.2 Duty to Inform. To the extent required by applicable Data Protection Laws, Nasdaq will immediately inform Customer if, in Nasdaq's opinion, any Customer instruction violates such applicable Data Protection Laws.

7.3 Customer Audit Rights. In order to satisfy any audit or inspection request by Customer under applicable Data Protection Laws or the Model Processor Contract, Nasdaq will provide Customer with the assistance required in Section 7.1 of this DPA and the Information Security Materials set forth in Section 7.4 in order to verify Nasdaq's compliance with its obligations under this DPA.

7.4 Information Security Materials. Upon Customer's written request, Nasdaq will make available to Customer the relevant information security materials for the applicable Service (the "Information Security Materials") through an access-restricted website in read-only format. The Information Security Materials are the Confidential Information of Nasdaq. Nasdaq may modify, amend, or replace the Information Security Materials without notice to Customer. To the extent available for the applicable Service, the Information Security Materials may contain the following:

7.4.1 A summary of any third-party audits or certifications relating to the security controls of the applicable Service, including any Service Organization Control (SOC) Type 2 reports and ISO 27001:2013 certifications;

7.4.2 Nasdaq’s Acceptable Use Policy, Data Classification Policy, Mobile Device Policy, and Information Security Policy;

7.4.3 Nasdaq’s Access Control Standard, Enterprise Patch Management Standard, Logging Standard, Network Security Standard, Password Standard, and Web Application Security Standard;

7.4.4 Nasdaq’s Code of Ethics and Nasdaq’s Privacy Policy; and

7.4.5 Any other published materials made available by Nasdaq, which further describe Nasdaq’s principles, programs, and practices regarding information security and privacy.

8. Return or Deletion of Customer Personal Data

8.1 Return or Deletion of Customer Personal Data. Upon termination of the Agreement, Nasdaq will delete, return, or provide Customer with a mechanism to allow Customer to obtain a copy of or delete all Customer Personal Data, except to the extent such data may be required to be retained by Nasdaq under applicable laws or document retention policies adopted in accordance with such laws; provided, however, the confidentiality obligations and use restrictions in the Agreement will continue to apply to such Customer Personal Data for the duration of retention.

9. Personal Data Breach of Customer Personal Data

9.1 Personal Data Breach Notification. If Nasdaq becomes aware of a Personal Data Breach of the Services involving Customer Personal Data, Nasdaq will notify Customer of such Personal Data Breach without undue delay unless prohibited by law or as otherwise requested by a governmental authority.

9.2 Personal Data Breach Assistance. If Nasdaq notifies Customer of a Personal Data Breach in accordance with Section 9.1 of this DPA, Nasdaq will provide Customer with assistance in relation to handling a Supervisory Authority's request for information with respect to such Personal Data Breach as required by applicable Data Protection Laws.

10. Cross-Border Transfers of Customer Personal Data from Customer

10.1 Model Processor Contract; Identities of the Data Exporter and the Data Importer. To the extent that Customer transfers Customer Personal Data from a location or entity in a jurisdiction, including the European Economic Area (the "EEA"), the United Kingdom, and Switzerland, where applicable Data Protection Laws require Customer to obtain appropriate safeguards regarding the cross-border transfer of such Customer Personal Data to a Nasdaq entity located outside of such jurisdiction, except for a jurisdiction which is deemed by the relevant Supervisor Authority to have an adequate level of protection for such Customer Personal Data (“Restricted Transfers”), the Parties agree that the provisions in the European Commission Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU) (as amended from time to time, the "Model Processor Contract") will apply and are incorporated herein by reference. For purposes of the Model Processor Contract, the Customer entity established in the jurisdiction that is exporting Customer Personal Data to a Nasdaq entity located outside of such jurisdiction will be deemed the "data exporter," and the Nasdaq entity located outside of such jurisdiction receiving such Customer Personal Data will be deemed the "data importer."

10.2 Details of the Model Processor Contract. The Personal Data Processing activities in Appendix 1 to the Model Processor Contract will be such activities as necessary for Nasdaq to perform the Services for Customer as described in the Agreement. The categories of Data Subjects and categories of Personal Data in Appendix 1 to the Model Processor Contract will be those provided by Customer to Nasdaq pursuant to the Services as set forth in Appendix 1 to this DPA. The data security measures in Appendix 2 to the Model Processor Contract will be those identified in Appendix 2 of this DPA.  In the event of any inconsistency between the terms of the Model Processor Contract and any terms of this DPA with respect to Restricted Transfers, the terms of the Model Processor Contract will govern and control.

11. LIMITATIONS OF LIABILITY

11.1 GENERAL LIABILITY CAP. EXCEPT FOR LIABILITY ARISING FROM EACH PARTY'S INDEMNIFICATION OBLIGATIONS, GROSS NEGLIGENCE, OR WILLFUL MISCONDUCT, IN NO EVENT WILL EITHER PARTY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS DPA, WHETHER ARISING UNDER OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, EXCEED THE TOTAL AMOUNTS PAID AND AMOUNTS ACCRUED BUT NOT YET PAID TO NASDAQ FOR THE AFFECTED SERVICE IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM. THE LIMITATIONS IN THIS SECTION 11.1 WILL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW.

11.2 NO DOUBLE RECOVERY; SURVIVAL. FOR THE AVOIDANCE OF DOUBT, SECTION 11 OF THIS DPA SETS OUT EACH PARTY’S EXCLUSIVE LIABILITY WITH RESPECT TO THIS DPA. NEITHER PARTY IS ENTITLED TO RECOVER DAMAGES MORE THAN ONCE FROM THE OTHER PARTY WITH RESPECT TO THE SAME LOSSES SUFFERED OR INCURRED BY THE PARTY CLAIMING SUCH LOSSES. THE LIMITATIONS IN SECTION 11 OF THIS DPA WILL SURVIVE TERMINATION OF THE AGREEMENT AND THIS DPA.

12. Miscellaneous

12.1 Assistance Costs. To the extent legally permitted, Customer is responsible for the reasonable costs and fees associated with Nasdaq's provision of assistance under this DPA and implementation of any Modified Instructions.

12.2 Expansion or Modification of Customer Audit Rights. For the avoidance of doubt, no provision in this DPA will be deemed to expand or modify the audit rights of Customer under the Agreement.

12.3 Choice of Law. Except with respect to the Model Processor Contract, this DPA is governed by the laws which govern the Agreement, and any dispute between the Parties is to be handled as set forth in the Agreement. The Model Processor Contract will be governed by the laws of the jurisdiction in which the relevant data exporter is established.

12.4 Entire Agreement; Amendments and Modifications. This DPA, together with any other documents incorporated herein by reference and all exhibits, schedules, addenda, and appendices incorporated into this DPA, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this DPA and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. Except as expressly provided in this DPA, the terms of the Agreement are and will remain in full force and effect. This DPA may only be amended by a written amendment that specifically references this DPA and the intent of the Parties to modify it.

APPENDIX 1

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

As set forth in Section 10.1 of the DPA. The data exporter is the purchaser or user of the Services as set forth in the Agreement and in connection with such may instruct the data importer to Process Customer Personal Data.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

As set forth in Section 10.1 of the DPA. The data importer is the provider of the Services as set forth in the Agreement and Processes Customer Personal Data upon the instruction of the data exporter.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The data exporter may submit Customer Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include Personal Data relating to the following categories of data subjects;

• Employees, agents, advisors, customers of the data exporter (who are natural persons)
• The data exporter’s users authorized by the data exporter to use the Services

Categories of data

The personal data transferred concern the following categories of data (please specify):

The data exporter may submit Customer Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include Personal Data relating to the following categories of data;

• First and last name, title, position
• Contact information (company, email, phone, physical business address)

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

In the general course of using the Services, it is not anticipated that the data exporter will provide any Special Data Categories. However, subject to Section 2.7 of the DPA, the data exporter may submit Special Data Categories to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The objective of Processing Customer Personal Data by the data importer is the performance of the Services.

APPENDIX 2

With respect to the Customer Personal Data transferred to or received by the data importer under the Agreement, the data importer has implemented, and will maintain, a comprehensive written information security program ("Information Security Program") that includes administrative, technical, and physical safeguards to ensure the confidentiality, security, integrity, and availability of Customer Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Customer Personal Data. In particular, the Information Security Program will include the following safeguards where appropriate or necessary to ensure the protection of Customer Personal Data:

• Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Customer Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Customer Personal Data or information relating thereto to unauthorized individuals; and (iv) to encrypt and decrypt Customer Personal Data where appropriate.
• Security Awareness and Training – a security awareness and training program for all members of the data importer's workforce (including management), which includes training on how to implement and comply with its Information Security Program.
• Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Customer Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
• Contingency Planning – policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Customer Personal Data or systems that contain Customer Personal Data, including a data backup plan and a disaster recovery plan.
• Device and Media Controls – policies and procedures on hardware and electronic media that contain Customer Personal Data into and out of a data importer facility, and the movement of these items within a data importer facility, including policies and procedures to address the final disposition of Customer Personal Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Customer Personal Data from electronic media before the media are made available for re-use.
• Audit Controls – hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.
• Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Customer Personal Data and protect it from disclosure, improper alteration, or destruction.
• Storage and Transmission Security – technical security measures to guard against unauthorized access to Customer Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Customer Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access.
• Assigned Security Responsibility – The data importer will designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. The data importer will inform the data exporter as to the person responsible for security.
• Storage Media – policies and procedures to ensure that prior to any storage media containing Customer Personal Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, the data importer will delete such Customer Personal Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media. The data importer will maintain an auditable program implementing the disposal and destruction requirements set forth in this section for all storage media containing Customer Personal Data.
• Testing – The data importer will regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
• Adjust the Program – The specifications provided herein apply as of the Effective Date. The data importer will monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Customer Personal Data, internal or external threats to the data importer or the Customer Personal Data, and the data importer's own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems. In light of the foregoing, the Information Security Program is subject to change; provided, however, that any such update will not lessen the applicable information security protections.