|
Docusign Envelope ID: B2E3CB28-321B-4F61-906C-2DA51CA6131C
<br />Contract Number: 25-HTD-ZL-00189 / 491003894
<br />the State, use, publish, copy, disclose to any third party, or permit the use by any third party of any State
<br />Records, except as otherwise stated in this Agreement, permitted by law or approved in writing by the State.
<br />Subrecipient shall provide for the security of all State Confidential Information in accordance with all
<br />applicable laws, rules, policies, publications, and guidelines. Subrecipient shall immediately forward any
<br />request or demand for State Records to the State's Principal Representative identified on the Cover Page of
<br />this Agreement.
<br />B. Other Entity Access and Nondisclosure Agreements
<br />Subrecipient may provide State Records to its agents, employees, assigns and Subcontractors as necessary to
<br />perform the Work, but shall restrict access to State Confidential Information to those agents, employees,
<br />assigns and Subcontractors who require access to perform their obligations under this Agreement.
<br />Subrecipient shall ensure all such agents, employees, assigns, and Subcontractors sign agreements containing
<br />nondisclosure provisions at least as protective as those in this Agreement, and that the nondisclosure
<br />provisions are in force at all times the agent, employee, assign or Subcontractor has access to any State
<br />Confidential Information. Subrecipient shall provide copies of those signed nondisclosure provisions to the
<br />State upon execution of the nondisclosure provisions if requested by the State.
<br />C. Use, Security, and Retention
<br />Subrecipient shall use, hold and maintain State Confidential Information in compliance with any and all
<br />applicable laws and regulations only in facilities located within the United States, and shall maintain a secure
<br />environment that ensures confidentiality of all State Confidential Information. Subrecipient shall provide the
<br />State with access, subject to Subrecipient's reasonable security requirements, for purposes of inspecting and
<br />monitoring access and use of State Confidential Information and evaluating security control effectiveness.
<br />Upon the expiration or termination of this Agreement, Subrecipient shall return State Records provided to
<br />Subrecipient or destroy such State Records and certify to the State that it has done so, as directed by the State.
<br />If Subrecipient is prevented by law or regulation from returning or destroying State Confidential Information,
<br />Subrecipient warrants it will guarantee the confidentiality of, and cease to use, such State Confidential
<br />Information.
<br />D. Incident Notice and Remediation
<br />If Subrecipient becomes aware of any Incident, Subrecipient shall notify the State immediately and cooperate
<br />with the State regarding recovery, remediation, and the necessity to involve law enforcement, as determined
<br />by the State. Unless Subrecipient can establish that Subrecipient, and its agents, employees, and
<br />Subcontractors are not the cause or source of the Incident, Subrecipient shall be responsible for the cost of
<br />notifying each person who may have been impacted by the Incident. After an Incident, Subrecipient shall
<br />take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which
<br />may include, but is not limited to, developing and implementing a remediation plan that is approved by the
<br />State at no additional cost to the State. The State may adjust or direct modifications to this plan, in its sole
<br />discretion and Subrecipient shall make all modifications as directed by the State. If Subrecipient cannot
<br />produce its analysis and plan within the allotted time, the State, in its sole discretion, may perform such
<br />analysis and produce a remediation plan, and Subrecipient shall reimburse the State for the reasonable costs
<br />thereof. The State may, in its sole discretion and at Subrecipient's sole expense, require Subrecipient to
<br />engage the services of an independent, qualified, State -approved third party to conduct a security audit.
<br />Subrecipient shall provide the State with the results of such audit and evidence of Subrecipient's planned
<br />remediation in response to any negative findings.
<br />E. Data Protection and Handling
<br />Subrecipient shall ensure that all State Records and Work Product in the possession of Subrecipient or any
<br />Subcontractors are protected and handled in accordance with the requirements of this Agreement, including
<br />the requirements of any Exhibits hereto, at all times. As used in this section, the protections afforded Work
<br />Product only apply to Work Product that requires confidential treatment.
<br />F. Safeguarding PII
<br />If Subrecipient or any of its Subcontractors will or may receive PII under this Agreement, Subrecipient shall
<br />provide for the security of such PII, in a manner and form acceptable to the State, including, without
<br />limitation, State non -disclosure requirements, use of appropriate technology, security practices, computer
<br />access security, data access security, data storage encryption, data transmission encryption, security
<br />inspections, and audits. Subrecipient shall be a "Third -Party Service Provider" as defined in §24-73-
<br />Page 10 of 33
<br />
|