EBM shall conduct its own audits pertaining to the Subscription Services. EBM will perform a security audit at least annually and will cause a SSAE 16 SOC 1 Type II audit (or equivalent audit) (“SSAE 16 Audit”) to be conducted periodically for each shared services facility at or from which the Subscription Services are provided or performed. Such security practices shall include:
(i) continuous monitoring for Security Threats and Security Incidents; (ii) use of firewalls and real-time intrusion detection systems, encryption and other secure technologies to collect, store and/or transmit Customer Data; (iii) physical security procedures, including security guards, and regular monitoring of all areas in which Customer Data is stored; (iv) restriction on access to and copying of Customer Data on a “need-to-know” basis and only at authorized locations; and (v) regular monitoring of password procedures used to gain access to Customer Data.
The data center containing the Customer Data shall have the following physical and electronic security requirements: (i) main access monitored with additional access for emergency purposes only; (ii) surveillance cameras in facility; (iii) access validation with identity check; (iv) electronic log-in validation; (v) creation of accounts only as verified by EBM or sub-contracted hosting provider; (vi) access to servers via encrypted means; and, (vii) servers running behind secure firewall.
EBM will take reasonable technical and organizational measures to keep personal data secure and to protect it against accidental loss or unlawful destruction, alteration, disclosure or access; and will process Customer Data only in accordance with Customer’s instructions, provided they are reasonable and lawful. EBM shall maintain and implement, or cause to be maintained and implemented, a commercially reasonable written disaster avoidance and recovery plan with procedures designed to reasonably safeguard and to recover after a disaster event. In the event of any event of unplanned interruption in the availability of the Subscription Services or any loss or corruption of any Customer Data (each, a “Disaster Event”), EBM shall restore availability of the Subscription Services and Customer Data within a reasonable amount of time. EBM shall perform disaster recovery testing at least once every calendar year and provide to Customer copies of such test results upon written request.