BAKER HILL PRIVACY AND SECURITY ANNEX


This Baker Hill Privacy and Security Annex ("Security Annex") is incorporated into and made part of the Master Agreement Standard Terms and Conditions existing between Baker Hill Solutions, LLC (“Baker Hill”) and Client (the “Agreement”) and sets forth Baker Hill’s commitments for the protection of Personal Data in connection with the provision of services to Client and/or Client’s access to and the use of certain Baker Hill software that Baker Hill makes available pursuant to a Schedule entered into between the parties (identified as “Services” and “Software” respectively in the Agreement and hereinafter identified collectively herein as the “Baker Hill Services”). In the case of a conflict between this Security Annex and the Agreement, the Agreement shall prevail. Unless otherwise defined in this Security Annex, capitalized terms will have the meaning given to them in the Agreement. 

 

  • Information Security. 
    • Scope. This Security Annex and the Security Measures set forth herein apply specifically to the Personal Data Processed via the Baker Hill Services to the extent such Processing is within the scope of applicable data protection laws and regulations and is performed on or from Baker Hill’s premises. To the extent Client exchanges data and information with Baker Hill that does not meet the definition of “Personal Data,” Baker Hill will handle such data and information pursuant to the confidentiality terms set forth in the Agreement.
    • General. Baker Hill has implemented and will continue to maintain Security Measures designed to protect the confidentiality and availability of Client’s Personal Data. 
    • Personnel Management. All employees of Baker Hill involved in the performance of the Baker Hill Services (“Personnel”) are required to acknowledge the policies adopted in connection with the Security Measures upon hire and annually thereafter. 
    • Permitted Use of Personal Data. Except as otherwise expressly stated herein, Baker Hill shall only Process Personal Data on behalf of Client, in accordance with Client’s instructions consistent with the Agreement, and as necessary to provide the Baker Hill Services. Baker Hill may allow its employees, Subcontractors, and other personnel to Process the Personal Data to the extent such individuals are needed to facilitate provision of the Baker Hill Services, have been advised of the sensitive nature of the information, and have agreed to commit themselves to confidentiality by entering into written confidentiality obligations with Baker Hill. Baker Hill will not Process Personal Data in any manner other than as permitted or required by the Agreement.
  • Data Security Management. 
    • Maintenance of the Security Measures. Baker Hill will review and maintain the Security Measures set forth herein. 
    • Background Checks and Training.  Baker Hill will use commercially reasonable efforts to ensure reasonable and appropriate background investigations are performed on all Personnel who have access to Client’s Personal Data in accordance with applicable laws and regulations prior to their hire. Baker Hill will conduct security and privacy awareness training, upon hire and annually thereafter, and inclusive of acknowledgement and agreement to abide by the organizational security policies and procedures relevant to the Security Measures, for all Personnel who have access to Client’s Personal Data in connection with performing or providing the Baker Hill Services.
    • Subcontractors.  Baker Hill will evaluate all Subcontractors to ensure that Subcontractors maintain adequate physical, technical, organizational, confidentiality, and data protection practices and controls (based on the risk tier appropriate to their subcontracted services) that support Baker Hill’s compliance with the requirements of the Agreement and this Security Annex. A list of Subcontractors used by Baker Hill in providing or supporting the Baker Hill Services is available and may be provided in hard copy upon written request from Client. For the avoidance of doubt, third party providers of Third Party Add-ons are not considered Subcontractors under the Agreement or this Security Annex.
    • Risk and Security Assurance Framework Contact.  Client’s regional sales manager and/or the information security officer at Baker Hill will be Client’s first point of contact for information and support related to the Security Measures. The Baker Hill regional sales manager and/or the information security officer will work directly with Client to escalate Client’s questions, issues, and requests to Baker Hill’s internal team(s) as appropriate.
  • Physical Security. 
    • General. Baker Hill will maintain appropriate physical security measures designed to protect the tangible items on Baker Hill’s premises that Process Personal Data, such as physical computer systems, networks, servers, and devices. Customer Information is not retained within the local user networks within Baker Hill’s facilities.
    • Data Center Access.  Baker Hill will ensure that its commercial-grade data center service providers used in the provision of the Software maintain an on-site security operation that is responsible for all physical data center security functions and formal physical access procedures.  
  • Logical Security. 
    • Access Controls.  Baker Hill will maintain an access control policy and control Personnel access to the production environment setting where the Software is executed for its final and intended operation by end users (“Production Environment”). Baker Hill will periodically review the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, remove or modify such access rights as appropriate.
    • Network Security.  Baker Hill will maintain an isolated Production Environment for the Software that includes network management controls. Only purpose-built workstations will be connected to Baker Hill systems within the Production Environment and active directory domains will separate network equipment and firewall rulesets.
    • Development Life Cycle and Maintenance. Baker Hill uses Microsoft® Azure to host its Software in production and non-production environments in an infrastructure as a service capacity. Baker Hill will employ teams to maintain and upkeep the servers and environments upon which Baker Hill’s internal operations depend. Such teams shall deploy patches, software releases, and test Software changes included in production releases. Segregation of duties is maintained between those who develop Software applications and those who review such changes and Baker Hill will ensure the Personnel tasked with maintaining the security and availability of the Software are not also tasked with the development of the Software.
  • Storage, Encryption and Disposal.
    • Storage.  Baker Hill will ensure Personal Data is stored within data centers located in the United States unless otherwise required to comply with the law or requests of a governmental or regulatory body (including subpoenas or court orders).
    • Encryption Technologies. Baker Hill will encrypt Personal Data in transit to and from the Software in accordance with industry standards. Baker Hill requires: (i) transport layer security encryption for all web browsers used in the collection of Personal Data in connection with the Software; and (ii) all access and transfer of data to and from the Software to be via HTTPS protocol for its websites and SFTP or file encryption for bulk data transfers. 
    • Record Disposal. Baker Hill will maintain a data disposal and re-use policy for managing assets and implement industry recognized processes and procedures for secure data disposal. Client authorizes Baker Hill to delete Personal Data remaining with Baker Hill (if any) following termination of the Agreement.
  • Incident Response and Breach Notification. 
    • General. Baker Hill will maintain an incident response program that includes incident management and breach notification policies and associated processes.  
    • Breach Notification. Unless notification is delayed or prevented by the actions or demands of a law enforcement agency or otherwise by applicable law, Baker Hill shall report to Client any unlawful access or unauthorized release, acquisition, use or disclosure of Personal Data maintained by Baker Hill (a “Data Breach”) following determination by Baker Hill that a Data Breach has occurred. To the extent feasible, such notification shall estimate the intrusion’s effect and specify any corrective measures taken. Baker Hill’s obligation to report a Data Breach under this Security Annex is not and will not be construed as an acknowledgement by Baker Hill of any fault or liability of Baker Hill with respect to such Data Breach.
    • Breach Response. Baker Hill shall take reasonable measures to mitigate the cause of any Data Breach and shall take reasonable corrective measures to prevent future Data Breaches. As information is collected or otherwise becomes available to Baker Hill and unless prohibited by law, Baker Hill shall provide information regarding the nature and consequences of the Data Breach that are reasonably requested to allow Client to notify affected individuals, government agencies and/or credit bureaus. Due to the encryption configuration and security controls associated with the Software, Baker Hill may not have access to or know the nature of the information contained within the Client’s accounts and, as such, Client and Baker Hill acknowledge that it may not be possible for Baker Hill to provide Client with a description of the type of information or the identity of the individuals who may be affected by a Data Breach. Unless otherwise prohibited by law, Client is solely responsible for: (i) notifying any individuals affected by the Data Breach; (ii) notifying the applicable regulatory bodies or enforcement commissions of the Data Breach as required by law; and (iii) the content of any Data Breach notification required pursuant to subparagraphs 6(c)(i) or 6(c)(ii).
  • Client Data Requests. 
    • General.  Client shall direct its customers to communicate any assertion of data protection rights, privacy rights, and data requests or inquires related to the Personal Data (each a “Data Request”) directly to Client, including those made in accordance with the Laws and Standards. If Baker Hill receives a Data Request from Client’s customers, Baker Hill shall have no obligation other than, where legally permitted, to inform Client’s customer that it is not authorized to complete the request.
    • Cooperation. Upon Client’s written request, Baker Hill will use reasonable efforts to cooperate with Client in dealing with Data Requests and requests from Client’s regulatory authorities that relate to Personal Data. 

© Baker Hill Solutions, LLC. All rights reserved. Proprietary & Confidential

Rev-11.2019