Caveon Information Security and Privacy Terms

INFORMATION SECURITY AND PRIVACY

The terms, conditions and specifications provided in the following Information Security and Privacy Terms are incorporated into and made part of (1) the Caveon Technology and Internet-Based Services Subscriber Agreement and (2) the Caveon Internet-Based Services Subscriber Agreement (the “Agreement”) for each and every Caveon customer that has entered into an Agreement accepted and signed by both the customer and Caveon. The Information Security and Privacy Terms are subject to all other terms and conditions set forth in the Agreement and do not create any obligations for Caveon or convey any rights to any other party in the absence of a fully executed Agreement with Caveon that makes reference to them.

1.1 Protection of Client Data.

(a) Caveon acknowledges and agrees that, in the course of providing the Services to Client, Caveon will receive or have access to Client Data (as defined in the Agreement). Caveon shall comply with the terms and conditions set forth in this Agreement in its collection, receipt, transmission, storage, disposal, use and disclosure of such Client Data and be responsible for the unauthorized collection, receipt, transmission, access, storage, disposal, use and disclosure of Client Data under its control or in its possession.

(b) Client Data is deemed to be Confidential Information of Client and is not Confidential Information of Caveon.

(i) keep and maintain all Client Data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure;

(ii) use and disclose Client Data solely and exclusively for the purposes for which the Client Data, or access to it, is provided pursuant to the terms and conditions of this Agreement, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Client Data for Caveon’s own purposes or for the benefit of anyone other than Client, in each case, without Client’s prior written consent; and

(iii) not, directly or indirectly, disclose Client Data to any person other than to Authorized Persons (as defined in the Agreement) without express written consent from Client, unless and to the extent required by a lawfully issued Court Order or as otherwise required by applicable law, in which case Caveon shall notify Client before such disclosure or as soon thereafter as reasonably possible.

1.2 Data Security Safeguards and Compliance

(a) Caveon will ensure that its collection, access, use, storage, disposal, and disclosure of Client Data complies with all applicable international, federal and state privacy and data protection laws, as well as all other applicable regulations and directives.

(b) Caveon shall implement administrative, physical and technical safeguards to protect Client Data that are no less rigorous than accepted industry practices, and shall ensure that all such safeguards, including the manner in which Client Data is collected, accessed, used, stored, processed, disposed of and disclosed, comply with applicable data protection and privacy laws, as well as the terms and conditions of this Agreement.

(c) In the course of providing the Services to Client, Caveon shall not collect, access, use, store, process, dispose of or disclose credit, debit or other payment cardholder information.

(d) At a minimum, Caveon’s safeguards for the protection of Client Data shall include:

(i) limiting access of Client Data to Authorized Persons;

(ii) securing business facilities, data centers, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability;

(iii) implementing network, device application, database and platform security;

(iv) securing information transmission, storage and disposal;

(v) implementing authentication and access controls within media, applications, operating systems and equipment;

(vi) encrypting Client Data stored on any mobile media;

(vii) encrypting Client Data transmitted over public or wireless networks;

(viii) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law;

(ix) providing appropriate privacy and information security training to Caveon’s employees; and

(x) ensuring that each of Caveon’s internet service providers, cloud storage providers, contractors, agents, attorneys and auditors that may participate in the collection, access, use, storage, disposal and disclosure of Client Data utilize, at a minimum, the same safeguards for the Protection of Client Data described herein.

(e) Upon the Client’s written request, and to confirm compliance with this Agreement, as well as any applicable laws and industry standards, Caveon shall promptly and accurately complete a written information security questionnaire provided by Client or a third party on the Client’s behalf regarding Caveon’s business practices and information technology environment in relation to all Client Data being handled and/or services being provided by Caveon to Client pursuant to this Agreement. Caveon shall fully cooperate with such inquiries. Client shall treat the information provided by Caveon in the security questionnaire as Caveon’s Confidential Information, as that term is defined in Section 5 of this Agreement.

1.3 Data Breach Procedures

(a) Caveon shall:

(i) provide Client with the name and contact information for an employee of Caveon who shall serve as Client’s primary security contact and shall be available to assist Client twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach;

(ii) notify Client of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after Caveon becomes aware of it; and

(iii) notify Client of any Security Breaches by telephone at the following number: [Client Telephone Number] and e-mailing Client with a read receipt at [Client EMAIL CONTACT] with a copy by e-mail to Caveon’s primary business contact within Client.

(b) Immediately following Caveon’s notification to Client of a Security Breach (as defined in the Agreement), the parties shall coordinate with each other to investigate the Security Breach. Caveon agrees to cooperate with Client in Client’s handling of the matter, including, without limitation:

(i) assisting with any investigation;

(ii) providing Client with physical access to the facilities and operations affected;

(iii) facilitating interviews with Caveon’s employees and others involved in the matter; and

(iv) making available all relevant records, logs, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Client.

(c) Caveon shall take reasonable steps to immediately remedy any Security Breach and prevent any further Security Breach at Caveon’s expense in accordance with applicable privacy rights, laws, regulations and standards.

(d) Caveon agrees that it shall not inform any third party of any Security Breach without first obtaining Client’s prior written consent, other than to inform a complainant that the matter has been forwarded to Client’s legal counsel.

(e) Caveon agrees to cooperate with Client in any litigation or other formal action deemed reasonably necessary by Client to protect its rights relating to the use, disclosure, protection and maintenance of Client Data.

AUDITS

Exam Development

Web Patrol®

Test Monitoring

Quality Assurance

Incident Management

Security Checkup

FRAUD dETECTION

RESPONSE SOLUTIONS

Exam Development

Exam Delivery

AIG

DOMC™

The SmartItem™

Security Insights Blog

ebooks and guides

Research and Reports

Videos and Webinars

CONFERENCES AND EVENTS

TAKE THE RISK ASSESSMENT

Who We Are

What we do

OUR TEAM

Partner

Careers

Newsroom