Data Protection Policy
(a) Security. MindBlown shall maintain appropriate technical and organizational measures intended to prevent unauthorized or unlawful processing of Raw Data and to prevent any loss, destruction or unauthorized disclosure of Raw Data. Without limiting the generality of the foregoing, MindBlown shall at the least comply with Industry Appropriate Data Safeguards as relates to all Confidential Information and Raw Data. “Industry Appropriate Data Safeguards” means those data security, safety and redundancy practices, procedures and safeguards typically implemented by US corporations who meet the EU-US Safe Harbor Program and include among other things:
(1) ensuring the physical security of servers and any equipment by which data may be accessed, using secure data centers that utilize redundant power and cooling (including generator and UPS backup), dedicated fire suppression, and electronically controlled badge access and video monitoring systems;
(2) restricting data center access to authorized individuals only and ensuring that all access is monitored and recorded for audit purposes;
(3) employing redundant backup systems and disaster mitigation and failover plans;
(4) maintaining physical safeguards of data;
(5) using up to date firewalls and intrusion detection systems and scanning systems with security vulnerability scanning software at regular intervals;
(6) implementing and enforcing a written code of behavior and conduct designed to ensure protection of confidential information;
(7) encryption of extremely sensitive data such as credit card information or any data required by applicable legal requirements to be encrypted;
(8) requiring complex passwords and periodic resetting of passwords on all internet accessible devices;
(9) enforcing security standards and access controls for and by its employees and contractors, limiting access to confidential information to the fewest number of persons with a need to know and limiting access to the least privileges necessary to perform job responsibilities;
(10) installing antivirus software on all production Windows-based servers and desktops/laptops that is configured to automatically download up-to-date virus signatures from a trusted third party source; and
(11) implementing other industry standard security systems, procedures and protocols.
(b) Compliance with Applicable Law. MindBlown shall comply with all applicable law, and applicable industry standards and guidelines (e.g., payment card industry standards), to protect Raw Data.
(c) Breach. If MindBlown discovers or reasonably suspects unauthorized access, acquisition, disclosure, or use (“Security Breach”) of Raw Data, MindBlown shall immediately: (i) notify User of such Security Breach; (ii) investigate and remediate the effects of the Security Breach; and (iii) provide User with assurance reasonably satisfactory to User that such Security Breach shall not recur. User shall have the right to participate in any security investigation relating to the Services or User’s Raw Data. MindBlown shall bear the losses and expenses (including attorneys’ fees) associated with a data breach including, without limitation, any costs (including any attorneys’ fees): (1) of preparing and providing notices of a data breach to affected individuals, and to state, federal, or foreign jurisdiction regulatory bodies including state Attorneys General, and credit bureaus; and (2) of remedying and otherwise mitigating any potential damage or harm of the data breach, including, without limitation, establishing call centers, providing credit monitoring or credit restoration services, as requested by Users.
(d) Return of Data. User shall have unlimited access to and the right to receive its Raw Data in MindBlown’s possession or control. Upon request, MindBlown immediately will return to User or destroy any Raw Data in MindBlown’s possession or control.
(e) Audit Rights. MindBlown shall engage a third party auditor to perform a SSAE 16 (or any successor thereto) audit of MindBlown’s operations related to the Services provided, and shall promptly (1) address and resolve all material weaknesses found by such audit, and (2) keep a copy of the audit report, and any supplemental/curative correspondence.