Procurement Services

Home Vendor Expectations Vendor Onboarding Supplier Code of Conduct Privacy and Data Security Standard PO Terms and Conditions FAQs Contact Us

Privacy and Data Security

This Privacy and Data Security Appendix (“PDSA”) sets forth Vendor’s duties and obligations with respect to all Company Information Assets collected, used, transmitted or maintained for Company, or its Affiliates. In the event of any inconsistencies between the PDSA and the contract to which this PDSA is appended (the “Agreement”), this PDSA will supersede and prevail. This PDSA describes Company’s privacy and security requirements and sets forth Vendor’s obligations to comply with such requirements.

Definitions
1. “Company” means the San Manuel affiliated entity that is party to the contract to which this PDSA is appended.
2. “Company Information Assets” means information or data created, collected, generated, licensed, leased, or purchased by or on behalf of Company or information or data otherwise under the control or responsibility of Company wherever located, including, but not limited to, Personal Information, Confidential Information as defined in the Agreement, and Company intellectual property and financial records, that are disclosed or otherwise made available to Vendor by Company pursuant to or as part of the Agreement as well as any data that Vendor creates, collects, generates, licenses, leases, or purchases on behalf of the Company.
3. “Law” means any federal, state, local, tribal, municipal, foreign, international, multinational or other constitution, law, statute, treaty, rule, regulation, ordinance or code.
4. “Personal Information” means any and all information or data (regardless of format) that (i) identifies or can be used to identify, contact or locate an individual, or (ii) that relates to an individual, whose identity can be either directly or indirectly inferred, including any information that is linked or linkable to that individual regardless of the citizenship, age, or other status of the individual, or (iii) is protected under applicable Laws.
5. “Privacy and Security Requirements” means, collectively, all of the following to the extent relating to privacy, data protection, or security of information (including Personal Information): all (i) applicable requirements of Law, including applicable requirements governing the protection, collection, storage, transfer, disclosure or other use or disposition of Personal Information and security breach notification, including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and its implementing rules and regulations (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the Gramm–Leach–Bliley Act (“GLBA”), the European Union Data Protection Directive 95/46/EC, the California Consumer Privacy Act, and its implementing rules and regulations (“CCPA”), the Controlling the Assault of Non-Solicited Pornography And Marketing Act and its implementing rules and regulations (“CAN-SPAM Act”), the Telephone Consumer Protection Act and its implementing rules and regulations (“TCPA”), the Children's Online Privacy Protection Act and its implementing rules and regulations (“COPPA”) and the European Union General Data Protection Regulation (“GDPR”); and (ii) industry standards applicable to Vendor, including, but not limited to, the Payment Card Industry Data Security Standard (“PCI DSS”).
6. “Security Incident” means the suspected or actual unauthorized access, acquisition, destruction, use, modification or disclosure or release of Company Information Assets.
7. “Services” means, for purposes of this PDSA, all services that Company requests Vendor to perform under the Agreement that involve processing of, or actual or potential access to, Company Information Assets.
8. "Service Provider" has the meaning given to that term as set forth in the California Consumer Privacy Act, Cal. Civ. 1798.140(v) and 1798.140(w), as amended, and in its associated regulations.
9. "Third Party" means a party that is not Company, Vendor, or a Service Provider.
10. “Vendor” means the non-San Manuel affiliated entity which is party to the contract to which this PDSA is appended.
Data Privacy, Access, Use and Retention
1. Company Information Assets will be used solely for the purpose of performing the Services. Vendor will not sell Company Information Assets under any circumstance. "Sell," "Selling," "Sale," or "Sold," has the definition given to the term in the CCPA.
2. Vendor will not appropriate Company Information Assets for its own use or to disclose such information to third parties unless specifically authorized by the Company in writing.
3. Vendor will comply with Company’s privacy policy as provided by Company to Vendor.
4. Vendor will limit access to Company Information Assets only to those Vendor personnel who need access to the Company Information Assets to perform the Services. Vendor shall require and instruct its personnel not to discuss, divulge, or disclose any such Company Information Assets to any person or entity except those persons within Vendor and the organizations directly concerned with the performance of the Services.
5. Vendor represents and warrants that its collection, access, use, storage, disposal, and disclosure of Company Information Assets does and will at all times comply with all Privacy and Security Requirements, as well as the terms and conditions of this Agreement. Vendor represents and warrants: all legally required consents and authorizations under applicable Law have been obtained by Vendor; all legally required notices, undertakings, and compliance measures required under applicable Law has been made or implemented by Vendor; any applicable self-regulatory requirements have been satisfied, including but not limited to, the guidelines published by the Digital Advertising Alliance; any relevant opt-out signal related to interest-based advertising, or the Sale of information, has been honored by Vendor; and; any requirement that Vendor refrain from any act or acts under applicable Law, or self-regulatory regime, shall be honored by Vendor.
6. Nothing in this PDSA or the Agreement shall operate as a waiver of Company’s right to be exempt from any Law as a result of Company's status as a sovereign or as a result of Company's operation on Tribal trust lands, as applicable.
Information Security
1. Vendor shall have implemented and will maintain a written information security program (the “Security Program”) applicable to all facilities, networks, infrastructure, devices, and cloud resources used by Vendor to provide the Services, including any applicable subcontractor facilities, networks, infrastructure, devices, and cloud resources. For purposes of this Agreement, “Security Program” shall include, but shall not be limited to, any and all Vendor policies, procedures, standards, and strategy, whether in hard copy, electronic, recorded form, or otherwise. Such Security Program must contain reasonable and appropriate administrative, technical, and physical safeguards to monitor Vendor’s systems and protect Company Information Assets against anticipated threats or hazards regarding: security, confidentiality, availability, or integrity; loss and accidental, unlawful and unauthorized destruction, alteration, use, disclosure, acquisition, or access.
2. Vendor will regularly assess risk, including risks to the privacy, security, integrity, and availability of Company Information Assets and test and monitor the effectiveness of its security safeguards, controls, countermeasures, systems and procedures. Vendor will timely address any identified risks or effectiveness issues in its security safeguards, controls, countermeasures, systems and procedures.
3. At a minimum, Vendor’s Security Program shall include:
  1. Appropriate threat monitoring and detection pertaining to systems, databases, and/or infrastructure that store, transmit, or otherwise process Company Information Assets, including appropriate logging and anti-virus/anti-malware software;
  2. Security Incident response program;
  3. Use of secure user identification and authentication protocols, including, but not limited to, unique user credentials, use of appropriate access controls, and strict measures to protect identification and authentication processes;
  4. Patch-management program, whereby Vendor installs, within a commercially reasonable time following release, all security patches and operating system and application security updates for any devices or interfaces through which or with which the Services are provided;
  5. Use of encryption protocols for Personal Information in transit and at rest, as appropriate and feasible;
  6. Implementation of secure coding practices pursuant to industry standards, such as those published by the Open Web Application Security Project;
  7. Secure remote access protocols and use of multi-factor authentication for access to computer systems;
  8. Appropriate network segmentation;
  9. Password management, including requirements addressing rotation and complexity, storage and management, restrictions on password sharing, and account lockout controls;
  10. Training of appropriate personnel on all aspect of the items listed above.
4. Promptly upon the expiration or earlier termination of the Agreement, Vendor shall return, destroy, or render unreadable or undecipherable Company Information Assets in its possession, custody or control, unless otherwise specified by Company.
5. In the event of a Security Incident, Vendor shall (i) promptly investigate the Security Incident; (ii) identify the impact of the Security Incident; (iii) take commercially reasonable actions to investigate and mitigate the effects of any such Security Incident; (iv) notify Company of the Security Incident within 72 hours, subject to applicable confidentiality obligations, the direction of law enforcement, and other limitations to the extent allowed and/or required by applicable Law; (v) cooperate with Company in its investigation of any such Security Incident and provide information reasonably requested by Company, including forensic reports, audit logs, and/or root cause analysis, (vi) timely provide any legally-required notifications to Company; (vii) at Company’s sole discretion, provide notification to any individuals affected by the Security Incident, provided that, before doing so, Vendor will provide Company the opportunity to approve any such notification to affected individuals. Unless expressly required by applicable Law, Vendor is prohibited from communicating with any individual or third party (other than law enforcement) regarding any Security Incident without prior written consent of Company.
6. No more frequently than once per twelve (12) - month period, upon written request by Company, Vendor shall respond to security questionnaires provided by Company with regard to the Security Program, provided that disclosure of any such information will not compromise Vendor’s confidentiality obligations and/or legal obligations or privileges.
7. Company reserves the right to request evidence of vendors third party audits audit (e.g., Service Organization Control (SOC) 2), at Company’s discretion.
8. Vendor shall indemnify, defend and hold harmless the Company for, and as to, any damage, loss, liability, fines, assessments, costs and expenses of any kind (including reasonable attorneys’ fees) incurred by or imposed upon Company arising out of or relating to any third party claim, action, audit, lawsuit, proceeding, or regulatory enforcement action that arises from or relates to Vendor’s breach of any of the provisions or representations or warranties contained or referenced in this PDSA. Any limitations of liability set forth in the Agreement, including but not limited to limitations of liability with respect to consequential damages or total aggregate damages, shall not apply to the foregoing indemnity obligation. To the extent this provision conflicts with the Agreement because it offers greater indemnification, defense, or hold harmless rights in favor of the Company than the Agreement for any particular item, than this provision shall control.