Data management and security policy

Date posted: 2013/10/19

Access, use and legal compulsion
Unless it receives Recipient’s prior written consent, Provider: (i) will not access or use data in electronic form collected through the Services from Recipient’s customers or other third parties, or collected or accessible directly from Recipient, (collectively, “Project Data”) other than as necessary to facilitate the Services; and (ii) will not give any third party access to Project Data. Notwithstanding the foregoing, Provider may disclose Project Data as required by applicable law or by proper legal or governmental authority. Provider will give Recipient prompt notice of any such legal or governmental demand and reasonably cooperate with Recipient in any effort to seek a protective order or otherwise to contest such required disclosure, at Recipient’s expense.

Recipient’s rights
Recipient possesses and retains all right, title, and interest in and to Project Data, and Provider’s use and possession thereof is solely as Recipient’s agent. Recipient may access and copy any Project Data in Provider’s possession at any time, through the media of communication described on the data access rules attached to this Agreement as Attachment 1. Provider will facilitate such access and copying promptly after Recipient’s request.

Retention and deletion
Provider will retain any Project Data in its possession until Erased (as defined below) pursuant to this Subsection (c). Provider will Erase: (i) any or all copies of Project Data promptly after Recipient’s written request; and (ii) all copies of Project Data no sooner than 14 business days after termination of this Agreement and no later than 90 business days after such termination. Notwithstanding the foregoing, Recipient may at any time instruct Provider to retain and not to Erase or otherwise delete Project Data, provided Recipient may not require retention of Project Data for more than 30 business days after termination of this Agreement. Promptly after Erasure pursuant to this Subsection (c), Provider will certify such Erasure in writing to Recipient. (“Erase” and “Erasure” refer to the destruction of data so that no copy of the data remains or can be accessed or restored in any way.)

Technical and physical security
In its handling of Project Data, Provider will observe the Technical and Physical Security Requirements attached to this Agreement as Attachment 2. Individuals’ access Provider will not allow any of its employees to access Project Data, except to the extent that an employee needs access in order to facilitate the Services and executes a written agreement with Provider agreeing to comply with Provider’s obligations set forth in this Agreement.

Compliance with law and policy
Provider will comply with all applicable federal and state laws and regulations governing the handling of Project Data.

Provider will promptly notify Recipient of any actual or potential exposure or misappropriation of Project Data (any “Leak”) that comes to Provider’s attention. Provider will cooperate with Recipient and with law enforcement authorities in investigating any such Leak, at Provider’s expense. Provider will likewise cooperate with Recipient and with law enforcement agencies in any effort to notify injured or potentially injured parties, and such cooperation will be at Provider’s expense, except to the extent that the Leak was caused by Recipient.

Attachment 1: Recipient’s data
Recipient can request a copy of all database records:

Recipient requests copy of database in writing (e-mail is acceptable).
Within 14 days, Provider gives a .csv file to Recipient.

Attachment 2: Technical and physical security
Recipient data are stored on remote servers and secured with the following technologies:

All shell access secured using Secure Shell (SSH)
All web traffic secured using SSL/TLS-based cryptography
Data resides in premier secure facilities provided by Digital Ocean, Inc.
Data center physically secured 24/7/365
On-site security including security cameras and biometric security
Data is protected using off-site backups