General Business Process and Policy
Legal & Security
All capitalized terms not defined herein will have the meanings that are defined under an applicable Order Form.
1. Services description
The Services will include:
Company’s electronic storage of Submitted Files;
Company’s delivery of notifications to Sponsor regarding regulatory compliance requirements for Sponsor’s Plan;
Technical capabilities for Authorized Users to upload, download, and preview Submitted Files;
Technical capabilities for Authorized Users to customize notifications and folders; and
Ongoing Service updates as determined solely by Company and provided at Company’s discretion to Sponsors without prior notice.
2. Scope Limitations
The parties agree that the following Scope Limitations shall apply to Sponsor’s use of the Services:
Sponsor shall only upload, revise or remove Submitted Files related to its management of its Plan; and
Sponsor shall be responsible for managing its user account information, including but not limited to login credentials and the assignment of responsibilities to its Authorized User(s).
3. Description of any training Services
Company will provide Sponsor with [up to 4 hours] of video and phone-based training on use of the Services.
4. Technical Support Services
(a) Technical Support Services. Company will provide Sponsor with telephone and email technical support during the hours of 9:00 a.m. to 5:00 p.m., Pacific Time, Monday through Friday, excluding holidays observed by Company. Telephone and email technical support consists of assistance related to any problems that cause the Services to not operate correctly. Telephone and email technical support does not include assistance with questions about how to use the Services nor specific questions about ERISA compliance.
(b) Sponsor Obligations
(i) Trained Contacts. Sponsor will appoint an individual within Sponsor’s organization that is trained on the operation of the Services to serve as a primary contact between Sponsor and Company with regards to the Technical Support Services. Sponsor must initiate all requests for Technical Support Services through the individual contact. The Sponsor shall notify Company of the contact details for its primary contact and changes to its primary contact, and keep and maintain current at all times a primary point of contact. Unless Sponsor notifies Company otherwise, the individual Company contact identified and named in an applicable Sponsor Order Form submitted to Company shall be deemed by the Company as the primary contact for the Sponsor.
(ii) Reasonable Assistance. Sponsor will provide Company with reasonable access to all necessary personnel to answer questions regarding errors and other problems reported by Sponsor.
(iii) Error Reporting. Sponsor will document and promptly report all detected errors to Company with enough detail to permit Company to reproduce the error. Sponsor will assist Company with recreating and diagnosing each error.
(iv) Good Standing. The provision of the Technical Support Services by Company during the term of an Order Form is contingent upon Sponsor’s performance of its payment and other obligations under the Order Form. Company reserves the right, in addition to other remedies available, to suspend its provision of the Technical Support Services for so long as Sponsor is not current with its obligations.
5. Applicable Service Levels
(a) Availability. Company will use reasonable efforts to provide the Services so that, other than for scheduled or emergency maintenance, the Services will be accessible in all material respects 90% of the time during any 24-hour period, 95% of the time during any 7-day period, and 98% of the time during any 30-day period. The availability of the Services may be subject to limitations, delays, and other problems inherent to the general use of the internet and other public networks or caused by Sponsor or third parties. Company is not responsible for any delays or other damage resulting from problems outside of Company’s reasonable control.
(b) Performance Issue Corrections. If the Services are not accessible as specified in paragraph (a) above (“Performance Issue“), Company will use reasonable efforts to correct the Performance Issue with a level of effort commensurate with the severity of the Performance Issue. Company and Sponsor will comply with the following resolution procedures for all Performance Issues reported by Sponsor:
(i) Notice of Performance Issue. If Sponsor encounters a Performance Issue, Sponsor must sufficiently define the Performance Issue in a written notice to Company. After receipt of written notice of a Performance Issue from Sponsor, Company will notify Sponsor if Company cannot identify the cause of the Performance Issue. If Company cannot identify the cause of the Performance Issue, Sponsor will provide additional information regarding the Performance Issue as Company may request in order to assist Company with identifying the cause of the Performance Issue. Sponsor will provide a separate written notice for each Performance Issue encountered by Sponsor.
(ii) Performance Issue Classification. In its notice of a Performance Issue, Sponsor will reasonably classify for Company the initial priority of the Performance Issue in accordance with the severity classification table below. To the extent that Company disagrees with any Performance Issue classification provided by Sponsor, Company will promptly advise Sponsor of the revised classification of any Performance Issue.
(iii) Response Time. Company will use reasonable efforts to respond to each of Sponsor’s written notices of Performance Issue within the period set forth in the severity classification table below. Response time is the elapsed time between Sponsor’s first report of an identified Performance Issue and the provision of a plan for resolution by a Company technical contact.
Severity
ClassificationDescription of Performance IssueResponse TimeClass A: EmergencyAny Performance Issue that causes the Services to be completely inaccessible.1 business dayClass B: UrgentAny Performance Issue that causes a material degradation in the performance of the Services.2 business daysClass C: Non-urgentAny Performance Issue that causes a non-critical degradation in the performance of the Services.3 business days
(c) Sponsor Obligations
(i) Trained Contacts. Sponsor will appoint an individual within Sponsor’s organization to serve as a primary contact between Sponsor and Company with regards to these Service Levels. Sponsor must initiate all requests through the primary contact. The Sponsor shall notify Company of the contact details for its primary contact and changes to its primary contact, and keep and maintain current at all times a primary point of contact. Unless Sponsor notifies Company otherwise, the individual Company contact identified and named in an applicable Sponsor Order Form submitted to Company shall be deemed by Company as the primary contact for the Sponsor.
(ii) Reasonable Assistance. Sponsor will provide Company with reasonable access to all necessary personnel to answer questions regarding Performance Issues reported by Sponsor.
(iii) Good Standing. The provision of the Services by Company during the term of the Agreement is contingent upon Sponsor’s performance of its payment and other obligations under an Order Form. Company reserves the right, in addition to other remedies available, to suspend its provision of the Services.
DATA SECURITY ADDENDUM
All capitalized terms not defined in herein will have the meanings that are defined under an Order Form.
1. Definitions
“Sponsor Information” means any and all of Sponsor’s proprietary and confidential information used by the Services, including Sponsor’s personal information, which is information that identifies or can be used to identify an individual.
“Process” or “Processing” means with respect to this Data Security Addendum, any operation or set of operations that is performed upon Sponsor Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2. Information Security Program
2.1. Information Security Program. Company maintains a written information security program that includes policies, procedures, and controls governing the Processing of Sponsor Information through the Services. The Information Security Program is designed to protect the confidentiality, integrity, and availability of Sponsor Information through administrative, technical, and physical controls in line with best practices and applicable laws and regulations.
2.2. Acknowledgment of Shared Responsibilities. The security of Sponsor Information in a cloud-based service depends on Sponsor and Company taking responsibility for the areas of the access, collection, storage, Processing, and using Sponsor Information that they have control over. The Parties acknowledge that (i) Company is responsible for the implementation and operation of the Information Security Program set forth herein, and (ii) Sponsor is responsible for implementing and maintaining the security of access and use controls and configuring certain features and functionalities of the Services.
2.3. Applicability to Sponsor Information. This Data Security Addendum applies to the Sponsor Information Processed through the Services. To the extent Sponsor exchanges information or other data with Company that is not Sponsor Information, as defined, Company will treat such information and data in accordance with the confidentiality terms under an Order Form.
3. Administrative Controls
3.1. Responsibility. Company assigns responsibility for the development, implementation, and maintenance of its information security program by designating one or more individuals with overseeing the management of the program.
3.2. Accountability. Company reviews and tests its security measures in accordance with best practices and applicable laws and regulations.
3.3. Security Awareness and Training. Company provides employees with privacy and security awareness training or materials designed to educate its employees on how to comply with Company’s Information Security Program for the purpose of preventing unauthorized access to, acquisition of, or disclosure of Company Information.
3.4. Vendor Management. Company considers the security procedures and controls of vendors, service providers, and subcontractors that have access to or otherwise Process Sponsor Information on its behalf, including taking into account whether such vendors: (i) use reasonable measures to maintain the physical security of facilities, networks, and systems that store Sponsor Information; (ii) employ best practices to protect the confidentiality, integrity, and availability of Sponsor Information; (iii) conduct regular audits and assessments of their networks and systems; and (iv) maintain sufficient insurance coverage for any failures in their security procedures and controls.
3.5. Risk-Based Assessments. Company maintains a risk analysis procedure for evaluating potential risks and developing appropriate responses, including by regularly monitoring, evaluating, and modifying, as it deems appropriate, its Information Security Program in light of, among other things, relevant changes in technology, and any internal or external threats to Company or the Sponsor Information.
4. Technical Controls
4.1. Access Controls. Company maintains controls and procedures to limit access to Company’s network and systems, which host, Process, or store Sponsor Information. As part of this process, Company has implemented measures to remove access to Company’s information systems that Process Sponsor Information when employees leave Company or no longer require such access to Sponsor Information to perform their job duties.
4.2. Network Security. Company protects the security of its network through the use of software and tools, such as firewalls and load balancers.
4.3. Secure Code. Company manages changes Company makes to its production systems, applications, and databases that Process Sponsor Information in line with best practices related to secure coding practices.
4.4. Monitoring. Company employs monitoring of its network and systems that host, Process or store Sponsor Information. These tools are designed to assist Company in the detection and investigation of security incidents.
4.5. Vulnerability Management. Company has policies to manage vulnerabilities by using resources to security-related alerts and having procedures to timely patch at-risk systems.
4.6. Testing. Company uses technical and procedural mechanisms for the purpose of regularly assessing and ensuring Company’s compliance with its information security policies, procedures, and standards.
5. Physical Controls
5.1. General. Company maintains appropriate physical security measures designed to protect the tangible media, such as physical computer systems, networks, servers, and devices, that Process Sponsor Information.
5.2. Data Retention and Destruction. When Company destroys hardware or other tangible media containing Sponsor Information that Company no longer requires, Company has processes designed to ensure Sponsor Information is securely destroyed when such hardware or other tangible media containing Sponsor Information is no longer needed.
6. Security Incidents
6.1. Incident Response. Company maintains procedures to promptly identify, remediate, and provide notice to Sponsor of Security Incidents (an “Incident Response Program“). For purposes of this Data Security Addendum, “Security Incident” means any security incident resulting in unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of nonencrypted and nonredacted Sponsor Information that is personal information, as defined under applicable law.
6.2. Reporting. Sponsor is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulators or law enforcement agencies applicable to Sponsor or Sponsor’s use of the Services need to be notified of a Security Incident.