1. SECURITY GUIDELINES.
1.1 Information Security Program. Miovision maintains a dedicated information security program aligned with commercially recognized industry standards and frameworks to ensure the confidentiality, integrity, and availability of Customer Data. Miovision employs a combination of technical, physical, and administrative controls designed to prevent the unauthorized disclosure, modification, or destruction of sensitive data.
1.2 Data Management. Miovision leverages defined processes for the storage, security, use, and management of system data, as follows:
(a) Regular backups are maintained for critical Customer Data in accordance with Applicable Laws.
(b) Sensitive data is encrypted both in transit and at rest.
(c) Miovision will notify Customer of any data requests in which Customer Data is included from regulatory or law enforcement bodies, unless prohibited by law.
(d) Upon termination of this Agreement and at the written request of the Customer, Miovision will return, delete or destroy Customer Data where technically reasonable. However, if Miovision is required by law to retain the Customer Data or the Customer Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then Miovision will continue to protect the Customer Data in accordance with the terms of any Master Services Agreement and these Guidelines and limit any use to the purpose of such retention
(e) Miovision may aggregate and use Customer Data (the “Aggregated Customer Data”) for analytics, marketing, industry analysis, or other business purposes in service of providing the Miovision platform; provided however, that at no time can Customer, any Authorized User, any Customer, and/or the business operations of either Customer or its Customer(s) be identified when reviewing the Aggregated Customer Data.
1.3 Data Security. Miovision maintains a dedicated information security program that meets all requirements of Applicable Laws and is designed to protect Miovision and its systems, and Customer Data, which includes the following elements:
(a) Network: Miovision maintains industry appropriate network security infrastructure including firewalls, intrusion detection and inspection technologies.
(b) Logging: Miovision captures, retains and inspects system logs to detect malicious or anomalous activity.
(c) Access Control: Miovision conforms to the principle of least privilege. System access is limited to what is required for Miovision personnel to perform their duties.
(d) Antivirus/Anti-Malware: Miovision maintains technology at the host and network level to detect and prevent malicious activities performed by unauthorized software. Antivirus definitions are updated on a regular basis.
(e) Vulnerability Management: Miovision regularly audits and assesses system components for vulnerabilities. Identified vulnerabilities are remediated using a risk-based prioritization approach. Miovision will include vulnerability detection and remediation as part of the software development cycle.
(f) Systems Audit: Miovision will conduct regular internal and external audits of systems and data, in line with industry standards and regulations. No more than annually, Customers may request in writing access to all reasonable Documentation related to Miovision’s policy and processes. Miovision reserves the right to refuse any request to provide information that poses an undue security risk to Miovision or its Customers.
(g) Penetration Testing: Miovision conducts internal and external penetration tests. Penetration testing of Miovision systems by Customer or a third party must be coordinated with and approved by the Miovision Information Security team.
(h) Security Awareness: Security awareness training is required for Miovision personnel and is conducted on a regular basis. Employees participate in security awareness training as part of the Miovision new employee orientation process and annually thereafter.
(i) Incident Management: Miovision maintains a defined process for the handling and management of information security incidents.
(j) Security Breach Notification: Miovision will notify Customers of any accidental or intentional exposure, loss, or alteration of Customer Data by unauthorized parties in a timely manner, but in any event within forty-eight (48) hours of becoming aware of a Data Security Incident (as defined herein), unless prohibited by law. Miovision shall provide Customer with a detailed description of the Data Security Incident, the type of Customer Data that was the subject of the Data Security incident and, to the extent known to Miovision, the identity of each affected individual, as soon as such information can be collected or otherwise becomes available, as well as all other information and cooperation that Customer may reasonably request relating to the Data Security Incident. The parties shall cooperate in determining whether notification to affected individuals and/or government authorities is required under Applicable Laws. If notification is required, Miovision shall pay all reasonable costs of such notifications. For purposes of this paragraph, a “Data Security Incident” means any accidental, unauthorized or unlawful access, acquisition, theft, destruction, or disclosure of Customer Data that occurs while such Customer Data is in the possession of or under the control of Miovision, or under the control of a third-party contracted with Miovision to provide any portion of the Services contemplated by this Agreement.
(k) Mitigation. Miovision agrees to take action immediately, at its own expense, to investigate any Data Security Incident and to identify, prevent, and mitigate the effects of the Data Security Incident and, with Customer’s prior written agreement, to carry out any recovery or other action necessary to remedy the Data Security Incident.
(l) Publicity. Miovision shall not issue, publish or make available to any third party any press release or other communication concerning a Data Security Incident involving Customer’s Data without Customer’s prior written approval or request unless otherwise required by any Applicable Laws, provided that, to the fullest extent permitted by law, Miovision will promptly notify Customer of such a required disclosure and will cooperate with Customer to contest or minimize the scope of the disclosure.
(m) Cooperation. Miovision shall provide full cooperation and assistance to Customer to enable Customer to fulfill its obligations to enable individuals affected by a Data Security Incident to exercise their rights under Applicable Laws. Miovision shall notify Customer within three (3) business days of all communications Miovision receives from an affected individual seeking to exercise his/her right in connection with a Data Security Incident.
1.4 Information Security Policies; Standard Procedures. Without limiting the generality of Section 1.3 hereof or any other provisions of any Agreement or any SOW, Miovision shall have in place information security policies, standards, processes and procedures aligned with industry standards, including the following leading practices where applicable:
1.4.1 safeguarding all Customer Data resident on systems operated by or for the benefit of Miovision or in the possession or control of Miovision for so long as and to the extent required pursuant to the terms hereof;
1.4.2 transmitting Customer Data in encrypted form using industry standard encryption algorithms and other secure methods such as virtual private network and encrypting data at rest, etc.;
1.4.3 safeguarding the physical integrity and condition of all media in the possession or control of Miovision containing Confidential Information of Customer, Customer assets or Customer Data;
1.4.4 ensuring Miovision has in place logical as well as physical access control systems, which includes a means of individual identification and authentication before allowing access to Customer systems and Customer Data;
1.4.5 ensuring the systems and applications processing Customer Data generate audit trails which can be audited for data integrity checking as well as identifying any Security Breach;
1.4.6 restricting access to the computer stored data, information, files and programs of Customer and its Affiliates, so that such items are available only to Miovision and Miovision Representatives on a “need to know” basis;
1.4.7 ensuring that only properly licensed software is installed on the systems used for Customer business;
1.4.8 ensuring the systems are free of Malware, which could be used to compromise Customer’s Data, and Miovision shall regularly scan the systems to detect and remove such Malware; and
1.4.9 ensuring that the latest software and hardware upgrades and patches have been tested and applied to these systems in order to address all known vulnerabilities within a commercially reasonable period of time.
1.5 Cyber Security / Privacy Insurance. Miovision shall maintain network security, and privacy coverage during the customer’s Term of this Agreement in the amount of at least Two Million Dollars ($2,000,000) per occurrence and at least Five Million Dollars ($5,000,000) in the aggregate.
1.6 Definitions. capitalized terms not defined herein shall have the meaning ascribed to them in the Master Services Agreement