Last updated March 1, 2019

1. Data Governance

a. In the course of providing the Services, HC Moneyball may collect, transfer, store and use Customer Data, as defined in the Agreement, provided to, collected by or made accessible to HC Moneyball.  For these purposes, Customer Data may be transferred to or be accessible to (i) HC Moneyball personnel as is required to perform the Services in accordance with the Agreement and in accordance with applicable data privacy protection laws; and (ii) third parties (including, but not limited to, courts, law enforcement, or regulatory authorities), where required by law, provided HC Moneyball will provide reasonable notice to Customer prior to any such disclosure if legally permissible.

b. HC Moneyball shall maintain internal company wide policies and procedures addressing the secure storage and handling of Customer Data which shall comply with generally accepted industry standards.

c. Customer grants to HC Moneyball a non-exclusive, perpetual, irrevocable, worldwide license to use, sample, collect, and compile Customer Data in aggregated, de-identified form for the purposes of HC Moneyball’s providing or maintenance of, improvement to, and operation of the Services or for any new or different products or services.  

d. In addition, to the extent Customer purchases Services, Customer grants to HC Moneyball the right to sub-license to third parties the Customer Data, which includes the survey responses in a de-identified form for the purposes of improvements to the questions sets and benchmarking data.

2. Privacy and Compliance

HC Moneyball represents and warrants that with respect to the collection, storage, transfer, and use of Customer Data it shall comply with (i) all applicable governmental laws, rules, and regulations, including, but not limited to, the European Union General Data Protection Regulations, if applicable, (ii) its Privacy Policy, (iii) generally accepted industry standards, and (iv) shall only do so if and to the extent required to perform services pursuant to the Agreement.

3. Information Security Management Program

HC Moneyball shall maintain a documented, approved and implemented information security management program in accordance with generally accepted industry standard practices that include reasonable administrative, technical, and physical safeguards to protect assets and Customer Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The information security management program will address the following areas: risk management, security policy, organization of information security, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development, and maintenance, supplier management, information security incident management, information security aspects of business continuity management, and compliance.

4. Data Protection

When working with Customer Data, HC Moneyball shall maintain the following:

a. Designated security and privacy personnel and departments responsible for the development and implementation of the information security and privacy practices required by this Agreement and applicable law;

b. Implement reasonably appropriate security and privacy awareness training for all members of its workforce;

c. Transfer and store Customer Data in an encrypted/secure manner;

d. Shall not store Customer Data on unencrypted mobile devices or media, such as laptops, phones, USB drives, etc;

e. Implement reasonably appropriate technical safeguards to protect Customer Data, such as firewalls, intrusions detection systems, logging and monitoring systems, access control systems and encryption;

f. Reasonably timely de-provisioning, revocation or modification of user access to HC Moneyball’s systems, information assets and Customer Data shall be implemented by HC Moneyball upon any change in status of employees, contractors, customers, business partners or third parties. Any change in status is intended to include termination of employment, contract or agreement, change of employment, transfer within the organization or change in SaaS Service delivery. 

g. Maintain procedures for data retention and storage, and backup/redundancy mechanisms. HC Moneyball will test the recovery of backups at planned intervals

h. Implement reasonable physical safeguards to restrict physical access to Confidential Information, such as restricted access requiring authentication, and appropriate environmental controls. Physical security perimeters (which may include fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to reasonably safeguard Customer Data and HC Moneyball’s relevant information systems.

5. Disaster Recovery

a. HCMoneyball shall have a defined and documented business continuity/disaster recovery plan for recovery services provided to the Customer.

b. Such plan shall provide for reasonable physical protection against damage from deliberate attacks as well as natural causes and disasters.

c. Security mechanisms and redundancies shall be implemented by HCMoneyball to reasonably protect equipment from utility service outages (e.g., power failures, network disruptions, etc.).

d. Telecommunications equipment, cabling and relays transferring data or supporting SaaS Services shall be reasonably protected by HCMoneyball from interception or damage and designed with redundancies, alternative power source and alternative routing.

e. Such plan shall provide for appropriate backup facilities and technology that will permit transition of the Services (from the previous night’s backup date), with a maximum recovery time of 24 hours from declaration of a disaster to be operational and accessible to Customer.

f. HCMoneyball shall conduct a test of such plan each year.  Customer may request the annual high-level summary of the results of such test.

6. Data Breach

HCMoneyball will respond to, contain and remediate security incidents, using commercially reasonable efforts, on a 24/7 basis. HCMoneyball shall notify Customer of security incidents within twenty-four (24) hours of becoming aware of an actual incident involving Customer Data.  An “incident” is a breach of confidentiality, data integrity or a security compromise of a network or server resulting in the unauthorized access, use, transfer or acquisition of Customer Data.  HCMoneyball shall inform Customer about incident response activities in reasonable intervals until the incident is resolved, which may include documenting and keeping Customer reasonably informed of all investigative and recovery efforts related to any such incidents, including discovery, investigation and containment, recovery, use of data and experience for gap identification and process improvement, mitigation plans, and cooperation with law enforcement, if legally permissible, as reasonably appropriate.